IIS, Windows at risk from 'token kidnapping'

The vulnerability, known as "token kidnapping", is a technique for the elevation of privileges on Windows operating systems. The proof-of-concept for the technique was developed by Cesar Cerrudo, chief executive of security company Argeniss. It exploits weaknesses that affect Windows Server 2003 and 2008, as well as Windows XP and Vista. The technique works by […]

The vulnerability, known as "token kidnapping", is a technique for the elevation of privileges on Windows operating systems. The proof-of-concept for the technique was developed by Cesar Cerrudo, chief executive of security company Argeniss. It exploits weaknesses that affect Windows Server 2003 and 2008, as well as Windows XP and Vista.

The technique works by elevating privileges through exploiting accounts on IIS servers that have rights to impersonate a client after authentication, Cerrudo told ZDNet.com.au sister site ZDNet.co.uk. Impersonation is the ability of a thread to execute using different security information than the process that owns the thread. The accounts can be exploited by "kidnapping" the token, an object that describes the security context of a process or thread.

"On Windows XP and Server 2003 it's possible to elevate privileges from any Windows account that has impersonation rights," wrote Cerrudo. "Usually Windows services and Internet Information Services Web sites have this privilege. This means that in these operating systems if a user can upload an ASP [active server pages] or ASP.NET Web page and run it then the user can fully compromise the operating system."

Full Article