A researcher has exposed how attackers with local admin privileges could use native command-line Windows tools to hijack other users’ sessions without credentials.
Researcher Alexander Korznikov on Friday published a report in which he describes how he could, locally and remotely via Remote Desktop Protocol (RDP), access other users’ sessions—even sessions that have been disconnected for some time—with one command.
Korznikov said an attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to. He said he tested his attack on Windows 2012 and Windows 2008 servers, as well as Windows 10 and Windows 7 and all that is required is the NT AUTHORITY/SYSTEM command line, or to create a service that will connect a session back to the attacker’s.
“Someone can say, ‘If you are admin, you can dump a server’s memory and parse it.’ That’s correct, but you don’t need it any more,” Korznikov told Threatpost. “Just two simple commands and you are in. The most incredible thing is that I don’t need to know the credentials of the hijacked user. It is pure password-less hijacking.”
Researcher Kevin Beaumont, meanwhile, published a separate report essentially confirming Korznikov’s work adding that by running the tscon.exe command as the SYSTEM user, an attacker could also connect to any session without a password.
“It doesn’t prompt, it just connects you to the user’s desktop. I believe this is due to the way session shadowing was implemented in Microsoft Windows, and it runs throughout the years like this,” Beaumont wrote.
Beaumont said that his and Korznikov’s research could bypass the work required to dump server memory and parse for passwords; this provides instant access to the target’s desktop without leaving artifacts in a log or needing to use external tools such as Metaspoit.
“This isn’t about SYSTEM — this is about what you can do with it very quickly, and quietly. Attackers aren’t interested in playing, they’re interested in what they can do with techniques. This is a very valid technique,” Beaumont wrote. “So, you have full blown RDP session hijacking, with a single command.”
Korznikov said he confirmed with Benjamin Delpy, who six years ago disclosed similar findings, that this was a Windows feature and not a vulnerability, but that does not discount the attack value of the situation, he said. Microsoft, for its part, is unlikely to patch this.
“The issue described in the report is not a security vulnerability as it requires local administrator rights on the machine,” a Microsoft spokesperson told Threatpost.
Korznikov said he did not disclose his findings to Microsoft prior to publication of his report last week because it was a design flow issue, out of scope for its bug bounties, and that he did not want to wait “six months until resolution for a CVE.”
“If you are admin, you can do everything. But here is the point: why and how you become admin? If some unprivileged user becomes admin using some kind of local privilege escalation, that’s the problem—and not the design flow—we are talking about,” Korznikov said. “You can do everything, even patch terminal services in a way that it will accept your token and allow shadowing mode, without a user’s knowledge.”