India Broadband Forum

essbebe · 03-19-09, 12:03 AM

One-year-old (unpatched) Windows 'token kidnapping' under attack

Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating.

The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.

Now comes word from the SANS ISC (Internet Storm Center) that the flaw is being used in a blended attack against an unknown target:

[ SEE: Where on earth are these Microsoft patches? ]

Incident handler Bojan Zdrnja discovered the token kidnapping component of the the attack while doing post-infection forensics:

* The story started more or less like hundreds of recently seen incidents. A web application had a vulnerability that allowed a remote attacker to upload files to the server. As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them.

* However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play. The attackers uploaded a local exploit called Churrasco2. This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008. What makes it even worse is that it work on both Windows Server 2008 and Server 2003. The exploit creates a backdoor shell after it steals the SYSTEM token. The program’s usage description says it all:

* /Churrasco/–>Usage: Churrasco2.exe ipaddress port

After this, it was game over. The attacker had a backdoor to the server running as SYSTEM. The next steps were very obvious and included installation of another Trojan as well as a keylogger.

This is yet another example of a black-eye that Microsoft could have avoided. To repeat, the company had notice about this issue one year ago and despite evidence of proof-of-concept code, there is not patch for affected Windows users.

It should also be said that the list of outstanding Windows flaws collecting dust is very long and continues to grow everyday.

In the absence of a patch, end users should pay attention to the workarounds/mitigations in Microsoft’s advisory.

* Image via Todd Bishop, Seattle PI.

03-19-09, 12:06 AM

thanks for info essbebe... does this problem affect desktop OS tooo.. any solution to this problem ?

essbebe · 03-19-09, 12:16 AM

@newprouser
I have no idea.
Posted this for info instead of giving the actual link.
You can read some nice words about me in another thread.!!
Now I will have my 2 minutes sleep for the day !

03-19-09, 12:24 AM

Quote:

Originally Posted by essbebe

@newprouser
I have no idea.
Posted this for info instead of giving the actual link.
You can read some nice words about me in another thread.!!
Now I will have my 2 minutes sleep for the day !

03-19-09, 12:03 AM	#1
essbebe Platinum Member Join Date: Aug 2007 Location: Chennai Posts: 4,246 Rep Power: 12	One-year-old (unpatched) Windows 'token kidnapping' under attack One-year-old (unpatched) Windows 'token kidnapping' under attack Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating. The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix. Now comes word from the SANS ISC (Internet Storm Center) that the flaw is being used in a blended attack against an unknown target: [ SEE: Where on earth are these Microsoft patches? ] Incident handler Bojan Zdrnja discovered the token kidnapping component of the the attack while doing post-infection forensics: * The story started more or less like hundreds of recently seen incidents. A web application had a vulnerability that allowed a remote attacker to upload files to the server. As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them. * However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play. The attackers uploaded a local exploit called Churrasco2. This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008. What makes it even worse is that it work on both Windows Server 2008 and Server 2003. The exploit creates a backdoor shell after it steals the SYSTEM token. The program’s usage description says it all: * /Churrasco/–>Usage: Churrasco2.exe ipaddress port After this, it was game over. The attacker had a backdoor to the server running as SYSTEM. The next steps were very obvious and included installation of another Trojan as well as a keylogger. This is yet another example of a black-eye that Microsoft could have avoided. To repeat, the company had notice about this issue one year ago and despite evidence of proof-of-concept code, there is not patch for affected Windows users. It should also be said that the list of outstanding Windows flaws collecting dust is very long and continues to grow everyday. In the absence of a patch, end users should pay attention to the workarounds/mitigations in Microsoft’s advisory. * Image via Todd Bishop, Seattle PI.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
virus attack !	cheeru	Computer Security	16	04-07-09 03:33 AM
Terrorist Attack Lankan Cricket Team	itsmemad	News discussions	63	03-08-09 12:54 AM
Mumbai terror attack Kasab booked for entering CST without ticket	newprouser	General offtopic discussions	8	03-02-09 01:07 PM
Attack By The Savage	rupu1983	News discussions	9	02-09-09 08:00 PM

03-19-09, 12:06 AM	#2
newprouser Guest Posts: n/a	thanks for info essbebe... does this problem affect desktop OS tooo.. any solution to this problem ?

03-19-09, 12:16 AM	#3
essbebe Platinum Member Join Date: Aug 2007 Location: Chennai Posts: 4,246 Rep Power: 12	@newprouser I have no idea. Posted this for info instead of giving the actual link. You can read some nice words about me in another thread.!! Now I will have my 2 minutes sleep for the day !

India Broadband Forum

One-year-old (unpatched) Windows 'token kidnapping' under attack

One-year-old (unpatched) Windows 'token kidnapping' under attack

Similar Threads