Hijack a privileged Windows user session without password: critical 0-Day or dumb feature?

Using just Task manager and the command line!

The security researcher Alexander Korznikov has recently published an article that explain how a local privileged user can hijack the session of any logged-in Windows user who has higher privileges without knowing that user’s password, simply using built-in command line tools:

Recently i’ve played with sethc/utilman logon screen backdoors, and almost everytime i used just command line.
Occasionally i’ve looked at Users tab in Task Manager (taskmgr.exe), and clicked connect button, and surprisingly i’ve got connected to selected user’s session.

This trick works on almost all versions of Windows operating system and does not require any special privileges, only physical access to the targeted machine but using Remote Desktop Protocol session on a hacked machine the attack can be performed also remotely.

Korznikov calls the attack a “privilege escalation and session hijacking”, and is unable to figure out if it is a Windows feature or a security flaw.

Remarks

– You must have Full Control access permission or Connect special access permission to connect to another session.
– The
/dest:<SessionName> parameter allows you to connect the session of another user to a different session.
– If you do not specify a password in the <Password> parameter, and the target session belongs to a user other than the current one,
tscon fails (not really).


The video demonstration

Korznikov has also provided a brief video PoC of a successful session hijacking: he uses simply Task manager and the command line:


For more technical details…

…please refer to Alexander’s site:

http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html

Comments