[German]It seems that all Windows versions contains a kind of ‘vulnerability’ which allows to transfer user rights (administrator privileges) from another account to a Windows guest account. This is called RID hijacking, and has been known for at least 10 months without being broadly noticed.
First hints about RID Hijacking
I already found a mentions of the topic on Twitter yesterday. Catalin Cimpanu (@campuscodi) mentioned his ZDNet.com article, who called it a ‘backdoor’.
Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months.
— Catalin Cimpanu (@campuscodi) 18. Oktober 2018
Also a (German) blog reader Ralf informed me about that topic. Another article may be found at Fossbyte. Addendum: But to make it clear, the ‘RID hijacking’ needs admin rights so far, so misusing this ‘vulnerability’ mean ‘only if you can do everything on your machine, you may also do RID hijacking’. But the technique behind RDI hijacking is interesting.
The RID hijacking attack method was described by Sebastian Castro from Colombia on csl.com. But there is an older blog post by Castro from December 28, 2017, where he already describes the method. So the attack has been known for 10 months. The hack of Castro is demonstrated in this video (recording of a presentation by Castro).
According to the security researcher, he immediately contacted Microsoft when he discovered the vulnerability. He did not receive any feedback. So far, however, there is no known case where this vulnerability was exploited by malware. Addendum: It’s clear, why it isn’t used yet – due to the admin rights requirement to apply the metasploit.
The RID Hijacking Attack in Detail
With the Windows resources it is possible to take over the RID (relative identifier, see here) of an existing account (even the 500 Administrator Built-in account) and assign it to another user account – especially Windows guest accounts. This attack allows:
- to assign the permissions of another account to the hijacked (abducted) user account, even if this account is deactivated (with this you can assign admin rights).
- authentication with the hijacker account credentials (also remote, depending on the computer configuration), you get authorized access to everything that is allowed for the hijacked user account.
- log any action recorded in the event log under the name of the kidnapped user account, although this action is performed from the ‘kidnapper account’ under which the performer is logged in.
Sebastian Castro already wrote in December 2017 that this technique, despite its breathtaking effectiveness, was not sufficiently documented. So he decided to write a Metasploit module, rid_hijack, which automates this attack with any combination of existing accounts on the victim’s computer. He provided this software here (broken) in the latest Metasploit version.
This module sets up a ‘Meterpreter session’ for a Windows victim. Then it tries to check the permissions (and retrieve them if necessary). It then attempts to change the registry keys associated with the specified account (if the Meterpreter session runs with SYSTEM privilege). Castro gave here a brief description of each parameter of the Metasploit module.
Note: I haven’t tested it, I have no metasploit tool – but it seems that the initial attack needs admin rights (see the value for GETSYSTEM required in the above screenshot – so without admin rights, it’s game over).
Testing the Module
Sebastian Castro writes that this attack was tested under Windows XP, Windows Server 2003, Windows 8.1 and Windows 10. On his website he describes how he uses a virtual Windows 8.1 Pro machine as an attack target (victim). According to the screenshot on his site, there is only one user account called User and two integrated accounts, the Administrator account (Administrator, in Spanish Administrador) and the Guest account (in Spanish Invitado), on the test machine.
He was able to hijack the build in Administrator account with RID 500 and assign the privileges to an integrated guest account (the metasploit has been launched with admin rights, which isn’t a good idea). He set a password for the guest accound and was able to invoke an administrative command prompt window from this guest account (see picture below).
With these permissions you can do everything an administrator is allowed to do – including writing to folders protected by Windows such as System32. But again, the metasploit need to be executed with administrator rights, to apply RID hijacking. At the end of the day, the vulnerability isn’t to critical (it need admin rights), but it’s in my opinion an interesting technique to transfer a RID between two accounts. Further details may be found on csl.com.