[guru] Windows Access tokenek
DATE: Wed, 30 Apr 2008 12:31:16 +0200
A Windows hozzáférés szabályozásában fontos szerepet töltenek be az ún.
Access tokenek. Az első levélben szereplő előadás azt mutatja be, hogy
egy pentester vagy támadó egy gép feltörése után miként tudhat plusz
jogokat szerezni ha sikerül tokeneket lopnia. Az access tokenek jelen
rendszere önmagában nem hordoz kockázatot, viszont a helytelen felhasználói
vagy rendszergazdai magatartás könnyen veszélyeztetheti a vállalat
értékesebb rendszereit is.
A második előadás témája inkább a token lopás. Maga a tokenek rendszere
nem biztonsági hiba, viszont több olyan hiba is található egyes szervízekben,
ahol a támadó könnyen plusz jogokat szerezhet.
--- Begin Message ---
Hey guys,
I recently got round to writing the whitepaper version of my Defcon 15 and CCC talk. For those who are interested, please find the abstract, PDF link and sourceforge link to the accompanying tool below: -
http://www.mwrinfosecurity.com/publications/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf
http://sourceforge.net/projects/incognito
ABSTRACT
This whitepaper discusses the security exposures that can occur due to the manner in which access tokens are implemented in the Microsoft® Windows Operating System. A brief overview of the intended function, design and implementation of Windows access tokens is given, followed by a discussion of the relevant security consequences of their design. More specific technical details are then given on how the features of Windows access tokens can be used to perform powerful post-exploitation functions during penetration testing, along with a basic methodology for including an assessment of the vulnerabilities exposed through tokens in a standard penetration test. Discussion is also included about why many corporate environments (assessed during penetration tests conducted by MWR InfoSecurity) have been found to not be operating in a manner which limits the risk of such issues. Finally, best practice advice is given on how to defend against these attacks.
It must be noted that the security issues discussed in this white paper do not represent a flaw in the Microsoft® Windows Operating System but are an expected consequence based on the design and implementation of Windows access tokens. The important point is that many corporate environments do not account for these issues within their security strategy and, consequently, the controls in many of these environments are not sufficient to withstand the techniques discussed here.
Additionally, it is acknowledged that the security implications of Windows access tokens have been discussed before both in general terms and to different degrees of technical detail. This document is not intended to present such discussions as being fundamentally new; instead it is intended to collate some of the existing knowledge, introduce some new findings and to demonstrate why many years after the general principles discussed were highlighted, many corporate environments are still vulnerable to these issues.
This paper is based upon research originally presented by the author at Defcon 15 [1] and Chaos Computer Congress (CCC) 2007 [2].
Cheers,
Luke
--- End Message ---
--- Begin Message ---
Presentation is available at:
http://www.argeniss.com/research/TokenKidnapping.pdf
Exploit code won't be released for a while due to
Microsoft request.
Enjoy.
Cesar.
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
--- End Message ---