March 16th, 2009

One-year-old (unpatched) Windows 'token kidnapping' under attack

Posted by Ryan Naraine @ 1:30 pm

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Kernel-level Exploits, Locally Running Web Servers, Malware, Microsoft, Open source, Passwords, Patch Watch, Pen testing, Research, Responsible disclosure, Vulnerability research, Web Applications, Windows Vista, Zero-day attacks

Tags: Attacker, Server, Microsoft Corp., Attack, Microsoft Windows, Security, Operating Systems, Software, Ryan Naraine

Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating.

The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.

Now comes word from the SANS ISC (Internet Storm Center) that the flaw is being used in a blended attack against an unknown target:

[ SEE: Where on earth are these Microsoft patches? ]

Incident handler Bojan Zdrnja discovered the token kidnapping component of the the attack while doing post-infection forensics:

• The story started more or less like hundreds of recently seen incidents.  A web application had a vulnerability that allowed a remote attacker to upload files to the server.  As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them.

• However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play.  The attackers uploaded a local exploit called Churrasco2.  This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008.  What makes it even worse is that it work on both Windows Server 2008 and Server 2003.  The exploit creates a backdoor shell after it steals the SYSTEM token.  The program’s usage description says it all:

• /Churrasco/–>Usage: Churrasco2.exe ipaddress port

After this, it was game over.  The attacker had a backdoor to the server running as SYSTEM.  The next steps were very obvious and included installation of another Trojan as well as a keylogger.

This is yet another example of a black-eye that Microsoft could have avoided.  To repeat, the company had notice about this issue one year ago and despite evidence of proof-of-concept code, there is not patch for affected Windows users.

It should also be said that the list of outstanding Windows flaws collecting dust is very long and continues to grow everyday.

In the absence of a patch, end users should pay attention to the workarounds/mitigations in Microsoft’s advisory.

* Image via Todd Bishop, Seattle PI.