[NT] Microsoft Windows Improper Token Validation

• Previous message: SecuriTeam: "[EXPL] Windows LSASS Exploit Code (MS04-044)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 11 Jan 2005 13:10:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Microsoft Windows Improper Token Validation
------------------------------------------------------------------------

SUMMARY

A local privilege elevation vulnerability exists on the Windows operating
systems' Access Token validation mechanism. This vulnerability allows any
user to take complete control over the system and affects Windows 2000,
Windows XP, and Windows 2003 (all service packs).

DETAILS

According to MSDN:
"An access token is an object that describes the security context of a
process or thread. The information in a token includes the identity and
privileges of the user account associated with the process or thread. When
a user logs on, the system verifies the user's password by comparing it
with information stored in a security database. If the password is
authenticated, the system produces an access token. Every process executed
on behalf of this user has a copy of this access token.

The system uses an access token to identify the user when a thread
interacts with a securable object or tries to perform a system task that
requires privileges. Access tokens contain the following information:

 - The security identifier (SID) for the user's account
 - SIDs for the groups of which the user is a member
 - A logon SID that identifies the current logon session
 - A list of the privileges held by either the user or the user's groups
 - An owner SID
 - The SID for the primary group
 - The default DACL that the system uses when the user creates a securable
object without specifying a security descriptor
 - The source of the access token
 - Whether the token is a primary or impersonation token
 - An optional list of restricting SIDs
 - Current impersonation levels
 - Other statistics

Every process has a primary token that describes the security context of
the user account associated with the process. By default, the system uses
the primary token when a thread of the process interacts with a securable
object. Moreover, a thread can impersonate a client account. Impersonation
allows the thread to interact with securable objects using the client's
security context. A thread that is impersonating a client has both a
primary token and an impersonation token."

Microsoft introduced a new user right called "Impersonate a client after
authentication" in Windows 2000 SP4, Windows 2003, and Windows XP SP2.
This right allows or limits the processes ran by a user from being able to
impersonate. For instance, if a process thread running in the security
context of a user without proper rights tries to impersonate, then it gets
an Identity Token instead of an Impersonation Token. An Identity Token
only identifies the user account under which the target process is running
and can not be used for impersonation. An Identity Token can also be
retrieved by a thread in order to identify the user account under which a
process is running. Under certain circumstances this Identity Token can be
used to impersonate any process thread running under any user account.

The attack vector identified is to impersonate a victim using Identity
Tokens to access network shares using UNC. For instance, after a thread
gets an Identity Token for the Local System account or an administrative
account, the token can be used to impersonate and access administrative
shares such as \\computername\c$ and to replace system files such as .exe,
dll, etc... This allows an attacker to elevate privileges or to read
arbitrary files bypassing permissions. Also, network shares on other
computers can be accessed in the same way. For instance, user JohnDoe's
Identity Token can access \\remotepc\someshare\ for which the user JohnDoe
has permissions but the attacker does not. The attack succeeds because
apparently that user's credentials are cached by the LSASS (Local Security
Authority Subsystem Service) after successfully authenticating to a
network share by standard methods. Then when the share is accessed again,
the LSASS assumes an Identity Token is an Impersonation token and uses the
cached credentials to authenticate.

This vulnerability is critical for servers using Terminal Services (or
Citrix) because a user could impersonate any other user to access network
shares.

Links:
 
<http://msdn.microsoft.com/library/en-us/secauthz/security/client_impersonation.asp> http://msdn.microsoft.comlibrary/en-us/secauthz/security/client_impersonation.asp
 
<http://msdn.microsoft.com/library/en-us/secauthz/security/access_tokens.asp> http://msdn.microsoft.comlibrary/en-us/secauthz/security/access_tokens.asp
 <http://support.microsoft.com/kb/821546/en-us>
http://support.microsoft.com/kb/821546/en-us
 
<http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/647.asp> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/647.asp

Solution:
See solution provided at:
<http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

ADDITIONAL INFORMATION

The information has been provided by <mailto:vrathod@appsecinc.com> Team
SHATTER (Application Security, Inc.).
The original article can be found at:
<http://www.appsecinc.com/resources/alerts/general/06-0001.html>
http://www.appsecinc.com/resources/alerts/general/06-0001.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Windows LSASS Exploit Code (MS04-044)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]