tag:blogger.com,1999:blog-3055250018425068623.post303869145359353737..comments2023-05-17T02:05:34.924-07:00Comments on No More Root: Token Kidnapping Windows 2003 PoC exploitCesar Cerrudohttp://www.blogger.com/profile/06168334482904759553noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-3055250018425068623.post-45799537931697174832009-04-15T00:38:00.000-07:002009-04-15T00:38:00.000-07:00http://www.microsoft.com/technet/security/bulletin...http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx.https://www.blogger.com/profile/10056016654585988995noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-70367870104791720602008-11-13T14:12:00.000-08:002008-11-13T14:12:00.000-08:00Thanks for the feedback, Cesar. While waiting for...Thanks for the feedback, Cesar. <BR/><BR/>While waiting for your reply, I ended up doing a lot of research on this, which was very informative.<BR/><BR/>I found what I was screwing up: in the original Windows 2003, as with the original Windows XP release (and XP SP1), the RPCSS service runs as SYSTEM (S-1-5-18), not NETWORK SERVICE (S-1-5-19). So I was testing on the wrong versions of Windows.<BR/><BR/>Once I tested on Windows 2003 SP1, I was able to reproduce your findings. It took me a little while to realize what I did wrong, but it was fun and educational to test this out. I also was able to verify the same MSDTC behavior on XP Service Pack 2 using my own code.Unknownhttps://www.blogger.com/profile/09547792716359868960noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-68683988020427125832008-11-13T05:48:00.000-08:002008-11-13T05:48:00.000-08:00I'm sorry but I can't answer questions about compi...I'm sorry but I can't answer questions about compilation problems since I don't have enough time to go and try to reproduce your problems, to find a possible solution, etc. Please compile with Visual Studio 2003 to avoid problems. <BR/>Thanks.Cesar Cerrudohttps://www.blogger.com/profile/06168334482904759553noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-28707589009778444392008-11-13T05:39:00.000-08:002008-11-13T05:39:00.000-08:00Philip, the privileges on the process are fine so ...Philip, the privileges on the process are fine so you should always get an impersonation token from MSDTC. Try running the process under NETWORK SERVICE account or other account with impersonation rights to see if that works for you but it should work with any account with impersonation rights.Cesar Cerrudohttps://www.blogger.com/profile/06168334482904759553noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-19657727209374065052008-11-06T10:33:00.000-08:002008-11-06T10:33:00.000-08:00Having trouble producing the expected output; I st...Having trouble producing the expected output; I started with an out-of-the-box Win2K3 Standard Edition SP0 install for my initial conditions. Launched from a LOCAL SERVICE (S-1-5-19) service shell; here's group and privileges of the parent process token:<BR/><BR/>Token SIDs: (10)<BR/> S-1-5-19 = 0x00000000<BR/> S-1-5-19 = 0x00000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED<BR/> S-1-1-0 = 0x00000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED<BR/> S-1-5-32-545 = 0x00000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED<BR/> S-1-5-6 = 0x00000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED<BR/> S-1-5-11 = 0x00000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED<BR/> S-1-5-15 = 0x00000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED<BR/> S-1-2-0 = 0x00000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED<BR/> S-1-5-5-0-1368877 = 0xc0000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED+SE_GROUP_LOGON_ID<BR/> S-1-5-32-545 = 0x00000007 = SE_GROUP_MANDATORY+SE_GROUP_ENABLED_BY_DEFAULT+SE_GROUP_ENABLED<BR/><BR/>Token privileges: (6)<BR/> SeAuditPrivilege = 0x00000000<BR/> SeIncreaseQuotaPrivilege = 0x00000000 SeAssignPrimaryTokenPrivilege = 0x00000000<BR/> SeChangeNotifyPrivilege = 0x00000003 = SE_PRIVILEGE_ENABLED_BY_DEFAULT+SE_PRIVILEGE_ENABLED<BR/> SeImpersonatePrivilege = 0x00000003 = SE_PRIVILEGE_ENABLED_BY_DEFAULT+SE_PRIVILEGE_ENABLED<BR/> SeCreateGlobalPrivilege = 0x00000003 = SE_PRIVILEGE_ENABLED_BY_DEFAULT+SE_PRIVILEGE_ENABLED<BR/><BR/>Didn't capture the stdout pipe, but next step is to modify output to see what's happening.<BR/><BR/>FWIW, the MSDTC tokens I'm seeing in the caller's process space are Identity level.<BR/><BR/>What am I screwing up?<BR/><BR/>Thanks.Unknownhttps://www.blogger.com/profile/09547792716359868960noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-50725037019269746262008-10-13T08:24:00.000-07:002008-10-13T08:24:00.000-07:003l51k4n0, I tried with VC++ express 2008 and it wo...3l51k4n0, I tried with VC++ express 2008 and it works fine. Maybe you are getting some problems with conversion since it's a Visual Studio 2003 project but I converted it with defaults and it works.Cesar Cerrudohttps://www.blogger.com/profile/06168334482904759553noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-80385921769599230852008-10-13T01:53:00.000-07:002008-10-13T01:53:00.000-07:00Hi,I've tried to compile the churrasco.exe but...Hi,<BR/><BR/>I've tried to compile the churrasco.exe but I've got the following error:<BR/><BR/>1>Linking...<BR/>1>Churrasco.obj : error LNK2019: unresolved external symbol _DtcGetTransactionManagerExA referenced in function "int __cdecl InvokeMSDTC(void)" (?InvokeMSDTC@@YAHXZ)<BR/>1>Release/Churrasco.exe : fatal error LNK1120: 1 unresolved externals<BR/><BR/>I'm using VC++ express 2008 from MS on an XP machine.<BR/>Any advise?3l51k4n0https://www.blogger.com/profile/15387601761413619543noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-19537743688222809122008-10-12T09:58:00.000-07:002008-10-12T09:58:00.000-07:00Hi HamidHi haven't had news from MS about these is...Hi Hamid<BR/><BR/>Hi haven't had news from MS about these issues, I don't know when they are going to fix them.<BR/>I don't think this is a critical flaw. Basically it's an easy way of elevating privileges when you have impersonation rights but without this exploit it's still possible to elevate privileges in certain circunstances just using regular functionality, ie: an administrator authenticates to a service or to IIS and then it's impersonated.Cesar Cerrudohttps://www.blogger.com/profile/06168334482904759553noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-59436053842536717972008-10-11T09:39:00.000-07:002008-10-11T09:39:00.000-07:00Hi CesarSo you`ve finally decided to publish the P...Hi Cesar<BR/><BR/>So you`ve finally decided to publish the PoC publicly .I've not seen a fix for this from Microsoft since first disclose of such attacks , yours being the most noisy one. All I see are temporary workarounds or advices on how to do what. The problem about such critical flaws is that , not all sys admins follow sec lists nor check latest published KB articles by Microsoft,so after so long time I`ve not yet seen any major change in configurations which means tens of thousands of vulnerable systems.<BR/>Any news from MS side about this case ?S. Hamid Kashfihttps://www.blogger.com/profile/08049067812791150826noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-69958993232965269472008-10-09T07:27:00.000-07:002008-10-09T07:27:00.000-07:00Thanks Cl@rity_533k4, typo fixed now.Thanks Cl@rity_533k4, typo fixed now.Cesar Cerrudohttps://www.blogger.com/profile/06168334482904759553noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-55071107042526371482008-10-09T01:05:00.000-07:002008-10-09T01:05:00.000-07:00Nice one.Btw, just a small note... It's "Informati...Nice one.<BR/>Btw, just a small note... It's "Information security" and not<BR/>Information secuirty.Cl@rity_533k4https://www.blogger.com/profile/14393825629015510845noreply@blogger.comtag:blogger.com,1999:blog-3055250018425068623.post-26861521214200289532008-10-08T14:47:00.000-07:002008-10-08T14:47:00.000-07:00Good, now to check it.Good, now to check it.Netxfocushttps://www.blogger.com/profile/13058036895578907715noreply@blogger.com