Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.

Example:

PrintSpoofer.exe

Impersonate Privileges with a Named Pipe for this to work the tool tricks NT AUTHORITY\SYSTEM account into connecting and authenticating to an RPC server they control by leveraging some peculiarities of the Istorage COM interface. This exploit is well known by using the RottenPotato or RogueWinRm Exploits.

During the authentication process, all the messages are relayed between the client - the SYSTEM account here - and a local NTLM negotiator. This negotiator is just a combination of several Windows API calls such as AcquireCredentialsHanlde() and AcceptSecurityContext() which interact with the lsass procces through ALPC. In the end if all goes well, you get SYSTEM.

Here I am as the current user with the privileges needed.

Then I move to using the PrintSpoofer exploit which will abuse the Print System Remote Protocol this is used with a tooled called SpoolSample the exploit is based on a single RPC call to a function exposed by the Print Spooler service.

According to documentation, this function create a remote change notification object that monitors changes to printer objects and send change notifications to a print client using either RpcRouterReplyPinter or RpcRouterReplyPrinterEx.

But how are these notifications sent? "via ROC… over a named pipe". The thing here is that it communicates with a named pipe called "\pipe\spools" . It4man implements a trick on his PrintSpoofer tool to trick and control the path used by a server. With some slight adjustments we canc reate a server path and trick the RPC to communicate into a SYSTEM controlled pipe onto our controlled one and receive SYSTEM access.

Path Manipulation

As a prerequisite, the only required privilege is SeImpersonatePrivilege

Referenes:

PreviousCreate Process with Token NextT1548: Abuse Elevation Control Mechanism

Last updated 3 years ago