Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Exploit

🗓️ 11 Jan 2018 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 41 Views

Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Exploit. Impersonating anonymous token in LPAC ignores WIN://NOAPPALLPKG leading to non-LPAC EoP

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2018-0752
11 Jan 201800:00
circl
CNVD		Microsoft Windows Kernel API Elevation of Privilege Vulnerability
5 Jan 201800:00
cnvd
CVE		CVE-2018-0752
4 Jan 201814:00
cve
Cvelist		CVE-2018-0752
4 Jan 201814:00
cvelist
EUVD		EUVD-2018-1561
4 Jan 201814:00
euvd
EUVD		EUVD-2018-1562
7 Oct 202500:30
euvd
Microsoft KB		January 3, 2018—KB4056888 (OS Build 10586.1356)
9 Jan 201808:00
mskb
Microsoft KB		January 3, 2018—KB4056890 (OS Build 14393.2007)
9 Jan 201808:00
mskb
Microsoft KB		January 3, 2018—KB4056891 (OS Build 15063.850)
9 Jan 201808:00
mskb
Microsoft KB		January 3, 2018—KB4056892 (OS Build 16299.192)
9 Jan 201808:00
mskb
Rows per page
Windows: NtImpersonateAnonymousToken LPAC to Non-LPAC EoP
Platform: Windows 10 1703 and 1709 (not tested Windows 8.x)
Class: Elevation of Privilege
 
Summary:
When impersonating the anonymous token in an LPAC the WIN://NOAPPALLPKG security attribute is ignored  leading to impersonating a non-LPAC token leading to EoP.
 
Description:
 
When running in LPAC the WIN://NOAPPALLPKG attribute is used to block the default use of the ALL APPLICATION PACKAGES sid. When impersonating the anonymous token this attribute isn't forwarded on to the new token in SepGetAnonymousToken. This results in being able to impersonate a "normal" AC anonymous token which could result in getting more access to the system (such as anything which is marked as ANONYMOUS LOGON and ALL APPLICATION PACKAGES but not ALL RESTRICTED APPLICATION PACKAGES or a specific capability SID). 
 
Proof of Concept:
 
I’ve provided a PoC as a C# project. The PoC will respawn itself as the Microsoft Edge LPAC and then execute the exploit. 
 
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work. Ensure the main executable and DLLs are in a user writable location (this is needed to tweak the file permissions for AC).
2) Execute the PoC as normal user
3) Once complete a dialog should appear indicating the operation is a success.
 
Expected Result:
The anonymous token is an LPAC.
 
Observed Result:
The anonymous token is a normal AC.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43516.zip

#  0day.today [2018-03-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Jan 2018 00:00Current
7.2High risk
Vulners AI Score7.2
EPSS0.0386
microsoft windowsimpersonationlpacwin://noappallpkgprivilege escalationelevation of privilegentimpersonateanonymoustokenexploitanonymous logonall application packagesproof of concept
41