quarta-feira, 18 de maio de 2011

Robbing sessions

What happens when the system trusts certain kinds of users? You can steal remote or local sessions. This post intents to demonstrate a local session assault as a PoC. More details will be given if you wish to escalate the technique :). Keep in mind that although this discussion is applicable to XP family, I'll be just talking about what happens in Windows 7 and 2008.
So, when we're switching between session in a Windows machine, thanks to Remote Desktop services and/or Fast User Switch, lsm is notified about our intents and haply, if we present the credentials of the user who owns the targeted session, switches us to the intended session, and locks our old one.
This is what the api tells us, but in practice there is more about it. LSM misbehaves and as you can see from the picture, before validating the password it checks the caller credibility.

So how can we bypass this check, just by injecting into our own winlogon process, who is a trusted caller, and that's running in our same session, so no need to cross sessions tricks.
I built a tool for a simple demo called rob console, this tool simply switches you to the first login session you made into the machine, without requesting for a password. Keep in mind that you need to be an admin to call the tool. The tool runs only in Windows 7 32 bits.
To see it in action do the following: login to your machine, your first session will open and this will be the session you will be robbing. Go to the your 'Start menu' and choose 'Switch user', login again, this time with your admin account, run the tool and voilá.
Please note that the tool connects to session 1, if you happened to logoff from any previous session the tool will fail the switch, because session 1 will not be available any more.
To see if session 1 is still around use the following command:
query session

services                     0  Disc
console      popo            1  Active
             Administrator   2  Disc
rdp-tcp                  65536  Listen
If session 1 is no longer, than you need to reboot the machine in order to reset the session counter.
Now that you know the music let's dance the tango, cute things to do: remote session stealing - as soon as you connect remotely, even without logging in, a session will be created, this opens the chance to steal any remote session without the need to formally establishing the logon session with all the extras, drive mapping, user env., etc.
Combine this to elchomp, and you have an attack without forensic trail. Everything is done by the user, only the user, and nobody else but the user.


Sem comentários: