Hacker Reveals Easiest Fashion To Hijack Privileged Windows User Session Without Password

You may travel aware of the fact that a local Windows user amongst organization rights too permissions tin forcefulness out reset the password for other users, but did yous know that a local user tin forcefulness out also hijack other users' session, including domain admin/system user, without knowing their passwords?

Alexander Korznikov, an Israeli safety researcher, has of late demonstrated that a local privileged user tin forcefulness out fifty-fifty hijack the session of whatever logged-in Windows user who has higher privileges without knowing that user's password, using built-in ascendance line tools.

This play a joke on industrial plant on most all versions of Windows operating organization too does non require whatever particular privileges. Korznikov is himself unable to figure out if it is a Windows characteristic or a safety flaw.

The upshot discovered past times Korznikov is non exclusively new, every bit a French safety researcher, namely Benjamin Delpy, detailed a similar user session hijacking technique on his blog to a greater extent than or less half dozen years ago.

Korznikov calls the ready on a "privilege escalation too session hijacking," which could let an assaulter to hijack high-privileged users' session too range unauthorized access to applications too other sensitive data.

For successful exploitation, an assaulter requires physical access to the targeted machine, but using Remote Desktop Protocol (RDP) session on a hacked machine; the ready on tin forcefulness out travel performed remotely every bit well.

Video Demonstrations too PoC Exploit Released!

Korznikov has also provided a few video demonstrations of a successful session hijacking (using Task manager, service creation, every bit good every bit ascendance line), along amongst Proof-of-Concept (PoC) exploit.

Korznikov successfully tested the flaw on the newest Windows 10, Windows 7, Windows Server 2008 too Windows Server 2012 R2, though to a greater extent than or less other researcher confirmed on Twitter that the flaw industrial plant on every Windows version, fifty-fifty if the workstation is locked.

While Microsoft does non deem it to travel a safety vulnerability too to a greater extent than or less experts argued that a Windows user amongst administrative permissions tin forcefulness out produce anything, Korznikov explained a unproblematic ready on scenario to explicate how a malicious insider tin forcefulness out easily misuse this flaw:

"Some depository fiscal establishment employee bring access to the billing organization too its credentials to log in. One day, he comes to work, logging into the billing organization too starting fourth dimension to work. At lunchtime, he locks his workstation too goes out for lunch. Meanwhile, the organization administrator gets to tin forcefulness out role this exploit to access employee's workstation."

"According to the bank's policy, administrator's job organization human relationship should non bring access to the billing system, but amongst a yoke of built-in commands inwards windows, this organization administrator volition hijack employee's desktop which he left locked. From now, a sysadmin tin forcefulness out perform malicious actions inwards billing organization every bit billing employee account."

Well, no doubt, alternatively an assaulter tin forcefulness out also dump out organization retentiveness to hollo upwards users' passwords inwards plaintext, but this is a long too complicated procedure compared to but running tscon.exe amongst a session position out without leaving whatever describe too using whatever external tool.

The upshot has been known to Microsoft since final half dozen years, then it's probable the companionship doesn't reckon it a safety flaw every bit it requires local admin rights on the computer, too deems this is how its operating organization is supposed to behave.

Share This :