The Weakness of Windows Impersonation Model



The Weakness of Windows Impersonation Model
<http://www.gentlesecurity.com/04302006.html>

Summary

1. Network Service account’s context is elevated to LocalSystem.
2. A context of MS SQL service running as unique user account is
elevated up to LocalSystem.
3. Any service’s context could be elevated to LocalSystem

There is an immanent risk to run network services as privileged
account, e.g. LocalSystem or Administrator. The threat is widely
accepted and recognized. However, most are not aware that nearly the
same risk is present for a service configured to run on behalf of
non-privileged account such as Network Service, Local Service or
unique user.


Technical Details

Security implications of impersonation are not new, but are not widely
recognized and understood. By definition, impersonation allows a
server application to replace (impersonate) its security context
(credentials) by context of client. In general, impersonation assumes
a server reduces its privileges but it also imposes a threat of
unauthorized privilege elevation.

The attack scenario is well known and understood. An attacker
terminates, pauses or crashes a privileged server application and
starts its own one with the same interface. It receives requests from
privileged client and impersonate. There were number of attacks
reported that have used this approach with named pipes [1, 2, 3].
However, the scope is not limited to named pipes. Any communication
channel that supports impersonation can be hijacked for privilege
elevation purposes, including LPC, RPC, DDE, COM, etc. Named pipe
interfaces are merely less opaque and easier to discover and exploit.

Provided threat of impersonation led to creating of a separate
privilege – “Impersonate a client after authentication”. Therefore,
since Windows XP only LocalSystem, Administrators and services have
this privilege by default [4] and can impersonate to client’s
credentials. Regular users are not able to exploit impersonation
anymore, but services (special processes managed by Service Control
Manager) still can. The risk of services run as LocalSystem and
Administrators is recognized, however the threat of other accounts
used to run services is underestimated. Network Service, Local Service
and even unique user accounts used to run a service still allow
privilege elevation for intruder who successfully attacked a service.

There are two attack scenarios:
1) If a service does not impersonate highly privileged clients then an
attacker who breaks into such service can simulate communication
interface used by privileged services.
2) If a service happen to impersonate highly privileged clients then
attacker’s task is easier, he needs just catch up privileged client
context during impersonation.

Windows XP and Windows 2003 use Network Service account to run
critical services such as Remote Procedure Call (RPC), which
impersonate privileged clients. As result, the second attack scenario
is possible to elevate a Network Service context to LocalSystem.
Additionally, Microsoft SQL Server 2000 service context is elevated
from unique user to LocalSystem. GentleSecurity provides demo tools
exercising the privilege elevation as part of GeSWall’s evaluation procedure.

M. Howard and D. LeBlanc partly admit the risk of Network/Local
Service [4], quotation: “Like LocalSystem, it has the benefit of
changing its own password (because it is basically a stripped-down
version of the LocalSystem account). One drawback to using this
account is the fact that several services use this account. If your
service gets breached, other services might also be breached.”
However, impersonation threat is not mentioned. Besides this note, we
did not find any warning about using these accounts.


Conclusions

It must be clearly admitted and well understood that under certain
circumstances any service account context can be used by attacker to
elevate privileges. Therefore, actual move from LocalSystem to Network
Service, Local Service and unique user accounts does not mitigate the
risk in general. Unprivileged accounts for services do not reduce
privileges and the attack surface as advertised. A service implies the
threat of using high privileges, regardless account used.


Solution

GesWall’s access control policy prevents privilege elevation attacks
as well as isolates privileged services precluding intrusions into the
rest of system.

Credits

Special thanks to 3APA3A for the help in the issue research.


References

[1] @Stake. Named Pipe Filename Local Privilege Escalation.
http://www.securiteam.com/windowsntfocus/5BP012KAKI.html
[2] Maceo. Named Pipe Filename Local Privilege Escalation Exploit.
http://www.securityfocus.com/archive/1/329197
[3] Georgi Guninski. Elevation of privileges with debug registers on
Win2K. http://www.guninski.com/dr07.html
[4] M. Howard, D. LeBlanc. “Writing Secure Code”, Second Edition.


Vendor Status

The issue reported to Microsoft on April 30, 2006.


Copyright 2005-2006 © GentleSecurity S.a.r.l.
http://www.gentlesecurity.com
Permission granted to redistribute this paper unedited in electronic
form. No part of this paper may be reproduced, transmitted, or
translated in any form except electronic without the prior written
permission of GentleSecurity.
Information in this paper may change without notice and does not
represent a commitment on the part of GentleSecurity.