Windows: RID Hijacking allows guests to become an Admin

[German]It seems that all Windows versions contains a kind of ‘vulnerability’ which allows to transfer user rights (administrator privileges) from another account to a Windows guest account. This is called RID hijacking, and has been known for at least 10 months without being broadly noticed.


Advertising


First hints about RID Hijacking

I already found a mentions of the topic on Twitter yesterday. Catalin Cimpanu (@campuscodi) mentioned his ZDNet.com article, who called it a ‘backdoor’.

Also a (German) blog reader Ralf informed me about that topic. Another article may be found at Fossbyte. Addendum: But to make it clear, the ‘RID hijacking’ needs admin rights so far, so misusing this ‘vulnerability’ mean ‘only if you can do everything on your machine, you may also do RID hijacking’. But the technique behind RDI hijacking is interesting.

The RID hijacking attack method was described by Sebastian Castro from Colombia on csl.com. But there is an older blog post by Castro from December 28, 2017, where he already describes the method. So the attack has been known for 10 months. The hack of Castro is demonstrated in this video (recording of a presentation by Castro).

(Source: YouTube)


Advertising

According to the security researcher, he immediately contacted Microsoft when he discovered the vulnerability. He did not receive any feedback. So far, however, there is no known case where this vulnerability was exploited by malware. Addendum: It’s clear, why it isn’t used yet – due to the admin rights requirement to apply the metasploit.

The RID Hijacking Attack in Detail

With the Windows resources it is possible to take over the RID (relative identifier, see here) of an existing account (even the 500 Administrator Built-in account) and assign it to another user account – especially Windows guest accounts. This attack allows:

  • to assign the permissions of another account to the hijacked (abducted) user account, even if this account is deactivated (with this you can assign admin rights).
  • authentication with the hijacker account credentials (also remote, depending on the computer configuration), you get authorized access to everything that is allowed for the hijacked user account.
  • log any action recorded in the event log under the name of the kidnapped user account, although this action is performed from the ‘kidnapper account’ under which the performer is logged in.

Sebastian Castro already wrote in December 2017 that this technique, despite its breathtaking effectiveness, was not sufficiently documented. So he decided to write a Metasploit module, rid_hijack, which automates this attack with any combination of existing accounts on the victim’s computer. He provided this software here (broken) in the latest Metasploit version.

Metasploit
(Source: Castro CSL)

This module sets up a ‘Meterpreter session’ for a Windows victim. Then it tries to check the permissions (and retrieve them if necessary). It then attempts to change the registry keys associated with the specified account (if the Meterpreter session runs with SYSTEM privilege). Castro gave here a brief description of each parameter of the Metasploit module.

Note: I haven’t tested it, I have no metasploit tool – but it seems that the initial attack needs admin rights (see the value for GETSYSTEM required in the above screenshot – so without admin rights, it’s game over).

Testing the Module

Sebastian Castro writes that this attack was tested under Windows XP, Windows Server 2003, Windows 8.1 and Windows 10. On his website he describes how he uses a virtual Windows 8.1 Pro machine as an attack target (victim). According to the screenshot on his site, there is only one user account called User and two integrated accounts, the Administrator account (Administrator, in Spanish Administrador) and the Guest account (in Spanish Invitado), on the test machine.

He was able to hijack the build in Administrator account with RID 500 and assign the privileges to an integrated guest account (the metasploit has been launched with admin rights, which isn’t a good idea). He set a password for the guest accound and was able to invoke an administrative command prompt window from this guest account (see picture below).

Operationen mit dem Gast-Konto
(Source: Castro CSL)

With these permissions you can do everything an administrator is allowed to do – including writing to folders protected by Windows such as System32. But again, the metasploit need to be executed with administrator rights, to apply RID hijacking. At the end of the day, the vulnerability isn’t to critical (it need admin rights), but it’s in my opinion an interesting technique to transfer a RID between two accounts. Further details may be found on csl.com.


Advertising


This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

2 Responses to Windows: RID Hijacking allows guests to become an Admin

  1. user says:

    @Born, you should read this first before believing this: https://lifeinhex.com/why-morons-shouldnt-be-writing-about-security-part-4/

    • guenni says:

      Your welcome – it’s what the text say – yes it need admin rights to apply the metasploit (found that out later, as I’ve had a closer look at the screenshots from Castro,, overlooked the registry screenshot within the december 2017 article first). But the interesting part (in my opinion) is the ability, to transfer the RID to another account and hide that (I wasn’t aware that this is possible). You can’t see that the guest account has admin rights – every action used under the guest account will be logged as made from the hijacked account – and no UAC command prompt is shown for Administrator RID. Or I’m wrong with my interpretation?

      BTW: Your simple net localgroup administrators guest /add won’t do the same – if I’m not completely wrong. The command adds the guest account to the local group administrators. The RID hijacking let the guest account stay within the local group guests, but changes the rights. Or I’m wrong with my interpretation?

Leave a Reply

Your email address will not be published. Required fields are marked *