[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Flaw in Microsoft Windows SAM Processing Allows Continued Administrative Access Using Hidden Regular User Masquerading After Compromise (2010-M$-001)



To all,

The reason I wrote this article was not to explain how to create a hidden 
user account.  I wrote the article to show you that you can modify the SAM 
in real time in a way that is undetectable by ANYONE.  This modification 
allows you to masquerade any user account as the built-in Administrator.

Christian,

"Continued Access" to a system means that someone has compromised a system 
and they have continued access.  This implies that the administrators don't 
know that they had been compromised.  And you think that auditing tools 
would see a hex value changed in the SAM, when even local administrators 
don't have read access to the SAM?

Thank you,
-----------------------------------------------------
StenoPlasma at ExploitDevelopment.com
www.ExploitDevelopment.com
-----------------------------------------------------

-------- Original Message --------
> From: "Christian Sciberras" <uuf6429@xxxxxxxxx>
> Sent: Thursday, December 02, 2010 2:51 PM
> To: "Steno Plasma" <exploitdevelopmentdotcom@xxxxxxxxx>
> Subject: Re: Flaw in Microsoft Windows SAM Processing Allows Continued 
Administrative Access Using Hidden Regular User Masquerading After 
Compromise (2010-M$-001)
> 
> I don't understand how this is even relevant to security?
> 
> If a system was compromised, I'd have assumed it would be only logical 
to
> investigate as to why and ultimately, what was changed.
> Auditing tools would detect this in seconds, as well as a normal human
> (unless we're talking about more than 10 user accounts on the same PC).
> 
> Either case, a compromised PC should be (at least) rolled back to before 
the
> attack. Anyone keeping the system running without doing this
> deserves getting hacked over and over.
> 
> I'd agree with MS (+any other similar scenarios). People should focus on 
not
> getting hacked, not locking hackers out *after being hacked.*
> 
> My 2 cents,
> Chris.
> 
> 
> 
> 
> 
> On Thu, Dec 2, 2010 at 6:59 PM, Steno Plasma <
> exploitdevelopmentdotcom@xxxxxxxxx> wrote:
> 
> > ----------------------------------------------------------
> > www.ExploitDevelopment.com 2010-M$-001
> > ----------------------------------------------------------
> >
> > TITLE:
> > Flaw in Microsoft Windows SAM Processing Allows Continued
> > Administrative Access Using Hidden Regular User Masquerading After
> > Compromise
> >
> > SUMMARY AND IMPACT:
> > All versions of Microsoft Windows allow real-time modifications to the
> > Security Accounts Manager (SAM) that enable an attacker to create a
> > hidden administrative backdoor account for continued access once a
> > system has been compromised. Once an attacker has compromised a
> > Microsoft Windows computer system using any method, they can either
> > leave behind a regular user or hijack a known user account (Such as
> > ASPNET). This user account will now have all of the rights of the
> > built-in local administrator account from local or remote connections.
> > The user will also share the Administrator's desktop and profile. When
> > inspected by system administrators, the regular user always looks like
> > it is just part of the built-in user's group. The attacker can also
> > make the regular user account hard to detect by creating a user with
> > the username of "ALT-0160", for blank space. Events in the audit log
> > pertaining to the hidden account will be created if the system
> > administrator has enabled auditing, but the user name fields are all
> > blank. Once a system has been compromised, the attacker would need to
> > ensure the Task Scheduler service is enabled only when starting the
> > method. This method can be used to masquerade as any user account on
> > the computer system.
> >
> > DETAILS:
> > Use the following steps to exploit this vulnerability.
> >
> > Step 1: Attacker compromises the Windows computer using any available
> > method.
> > Step 2: Attacker creates a user account with a blank username using
> > 'net user " " P@$$w0rd /add'. In between the double quotes, you can
> > use ALT+0160 to create the blankspace.
> > Step 3: Attacker creates an interactive scheduled task to run a minute
> > after creating it. This scheduled task brings up a command prompt as
> > the NT Authority\SYSTEM account on Windows 2000, XP, and 2003. 'at
> > 11:24 /interactive cmd.exe'. If using Windows Vista, 7, or 2008
> > Server, the attacker must do all registry editing from the command
> > line using 'schtasks'.
> > Step 4: Once the SYSTEM command prompt comes up, open regedit from the
> > command line.
> > Step 5: Browse to 
'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names'
> > Step 6: Click on the newly created user account's user name.
> > Step 7: Take note of the "Type" field for that user.
> > Step 8: In this example, the backdooruser's "Type" is 0x3f7 and the
> > built-in Administrator's is 0x01F4.
> > Step 9: Under 'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users' click
> > on 000003F7.
> > Step 10: In the right pane, double click on the "F" key.
> > Step 11: Go to the 7th row of HEX values.
> > Step 12: Change the value from "F7 03" to "F4 01".
> > Step 13: Log off then log on using your new backdoor account.
> > Step 14: You will notice that you are now using the Administrator's
> > desktop and rights.
> > Step 15: When you run 'net localgroup Administrators' you will see
> > your backdoor account listed only when you log in as the backdooruser
> > to check for it. If any other user runs the same command they will
> > only see the regular user accounts.
> > Step 16: Delete any other temporary accounts you may have made during
> > the method.
> >
> > VULNERABLE PRODUCTS:
> > All patch levels of Microsoft Windows 2000 Workstation, Windows 2000
> > Server, Windows 2003 Server, Windows XP, Windows Vista, Windows 7, and
> > Windows 2008 Server. (Windows Vista, Windows 7 and Windows 2008 Server
> > are harder to exploit because you cannot bring up an interactive
> > SYSTEM shell, but you can still dump the registry, edit the field,
> > then merge the registry back as SYSTEM to complete the method).
> >
> > REFERENCES AND ADDITIONAL INFORMATION:
> > N/A
> >
> > CREDITS:
> > StenoPlasma (at) ExploitDevelopment.com
> >
> > TIMELINE:
> > Discovery: July 1, 2010
> > Vendor Notified: August 8, 2010
> > Vendor Dismissed: August 10, 2010 (MSRC says that there is nothing to
> > investigate because the action can only happen after a compromise.
> > This vulnerabilities deals with continued access without using DLL
> > injection or Rootkits)
> > Vendor Fixed: N/A
> > Vendor Notified of Disclosure: October 26, 2010
> > Disclosure to Bugtraq: December 2, 2010
> >
> > VENDOR URL:
> > http://www.microsoft.com
> >
> > ADVISORY URL:
> > http://www.ExploitDevelopment.com/Vulnerabilities/2010-M$-001.html
> >
> > VENDOR ADVISORY URL:
> > N/A
> >
> >
> > Thank you,
> > -----------------------------------------------------
> > StenoPlasma at ExploitDevelopment.com
> > www.ExploitDevelopment.com
> > -----------------------------------------------------
> >