Warning: include_once(/home/gentlese/public_html/inc/header_geswall.php) [function.include-once]: failed to open stream: No such file or directory in /home/gentlese/public_html/04302006.html on line 4

Warning: include_once() [function.include]: Failed opening '/home/gentlese/public_html/inc/header_geswall.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/gentlese/public_html/04302006.html on line 4

Advisory: The Weakness of Windows Impersonation Model

http://www.gentlesecurity.com/04302006.html


Summary

There is an immanent risk to run network services as privileged account, e.g. LocalSystem or Administrator. The threat is widely accepted and recognized. However, most are not aware that nearly the same risk is present for a service configured to run on behalf of non-privileged account such as Network Service, Local Service or unique user.


Technical Details

Security implications of impersonation are not new, but are not widely recognized and understood. By definition, impersonation allows a server application to replace (impersonate) its security context (credentials) by the context of a client. In general, impersonation assumes a server reduces its privileges but it also imposes a threat of unauthorized privilege elevation.

The attack scenario is well known and understood. An attacker terminates, pauses or crashes a privileged server application and starts its own one with the same interface. It receives requests from privileged client and impersonate. There were a number of attacks reported that have used this approach with named pipes [1, 2, 3]. However, the scope is not limited to named pipes. Any communication channel that supports impersonation can be hijacked for privilege elevation purposes, including LPC, RPC, DDE, COM, etc. Named pipe interfaces are merely less opaque and easier to discover and exploit.

The threat of impersonation led to the creation of a separate privilege - "Impersonate a client after authentication". Therefore, since Windows XP only the LocalSystem, Administrators and services have this privilege by default [4] and can impersonate to client's credentials. Regular users are not able to exploit impersonation anymore, but services (special processes managed by the Service Control Manager) still can. The risk of services run as LocalSystem and Administrators is recognized, however the threat of other accounts used to run services is underestimated. Network Service, Local Service and even unique user accounts used to run a service still allow privilege elevation for intruder who successfully attacked a service.

There are two attack scenarios:

  1. If a service does not impersonate highly privileged clients then an attacker who breaks into such service can simulate the communication interface used by privileged services.
  2. If a service happens to impersonate highly privileged clients then the attacker's task is easier, he just needs to catch up a privileged client context during impersonation.

Windows XP and Windows 2003 use the Network Service account to run critical services such as Remote Procedure Call (RPC), which impersonate privileged clients. As result, the second attack scenario is possible to elevate a Network Service context to LocalSystem. Additionally, Microsoft SQL Server 2000 service context is elevated from a unique user to LocalSystem. GentleSecurity provides demo tools exercising the privilege elevations as part of GeSWall's evaluation procedure.

D. Litchfield describes the risk of running database servers as a low privilege user [5]. M.Howard and D. LeBlanc partly admit the risk of Network/Local Service [4], quotation: "Like LocalSystem, it has the benefit of changing its own password (because it is basically a stripped-down version of the LocalSystem account). One drawback to using this account is the fact that several services use this account. If your service gets breached, other services might also be breached." However, the impersonation threat is not mentioned. Besides this note, we did not find any "official" warning about using these accounts.


Conclusions

It must be clearly admitted and well understood that under certain circumstances any service account context can be used by an attacker to elevate privileges. Therefore, actual the move from LocalSystem to Network Service, Local Service and unique user accounts does not mitigate the risk in general. Unprivileged accounts for services do not reduce privileges and the attack surface as advertised. A service implies the threat of using high privileges, regardless account used.


Solution

GesWall's access control policy prevents privilege elevation attacks as well as isolates privileged services precluding intrusions into the rest of system.


Credits

Special thanks to 3APA3A for the help in the issue research.


References

[1] @Stake. Named Pipe Filename Local Privilege Escalation. http://www.securiteam.com/windowsntfocus/5BP012KAKI.html
[2] Maceo. Named Pipe Filename Local Privilege Escalation Exploit. http://www.securityfocus.com/archive/1/329197
[3] Georgi Guninski. Elevation of privileges with debug registers on Win2K. http://www.guninski.com/dr07.html
[4] M. Howard, D. LeBlanc. "Writing Secure Code", Second Edition.
[5] D. Litchfield. "Snagging Security Tokens to Elevate Privileges". http://www.databasesecurity.com/dbsec/db-sec-tokens.pdf


Vendor Status

The issue reported to Microsoft on April 30, 2006.


Copyright 2005-2006 © GentleSecurity S.a.r.l.
http://www.gentlesecurity.com

Permission granted to redistribute this paper unedited in electronic form. No part of this paper may be reproduced, transmitted, or translated in any form except electronic without the prior written permission of GentleSecurity.

Information in this paper may change without notice and does not represent a commitment on the part of GentleSecurity.