Privilege Escalation on Windows – Abusing Tokens

BrightTALK The 2019 Threatscape

What is Privilege Escalation?

Operating Systems that manage a computer’s hardware and its resources are usually designed to be used by multiple users (accounts). Each of which designate access to a certain amount of resources (physical and logical) using the name “privileges.” The privilege escalation process comes from exploiting design flaws, configuration issues, or bugs in the system to obtain more resources available than what was originally provided. In other words, you exploit a system to escalate your privileges on the device, hence the name “Privilege Escalation.” Depending on the privileges obtained by exploiting a flaw, an attacker could have total control of the operating system.

Forms of Privilege Escalation

  • Horizontal: Occurs when the privilege escalation is lateral, meaning there is a transfer of privilege but usually not to a higher resource’s capabilities.
    Example: When an attacker, using a regular user account, can escalate to another regular (not system) user account in a compromised system.
  • Vertical: Occurs when the escalation is focused towards gaining more privileges. The process is known as Privilege Elevation.
    Example: An attacker using a regular user account (low privileges) exploits a flaw that leads to an administrative account.

This post specifically covers Windows Privilege Escalation using Token Objects.

Tokens

The Windows operating system uses token objects to describe the security context of a particular thread or process. These tokens (nt*_TOKEN structure) contain a vast swath of security and referential information, including integrity level, privileges, groups, and more.

A process holds a primary token. Threads executing within the process inherit this same token. When a thread needs to access an object using a different set of credentials, it can use an impersonation token. This does not impact the primary token or other threads, only the execution in the context of the impersonating thread. These impersonation tokens can be obtained via a different number of APIs provided by the Windows Kernel.

Token Impersonation is when a new object token is assigned to a thread that is different from the parent process’ token. Even though the word impersonation indicates that one is using a token belonging to a different user, this isn’t always the case. A process may impersonate an object token that it owns, but simply has a different set of privileges.

Exploitation

For an attacker to be able to impersonate object tokens in a compromised system, they would need the following privileges on the target. These privileges are usually associated with the services account:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

The attackers can check if they have the necessary privileges shown above just by running a single command: `whoami /priv`. If any of these privileges are found, the potential to elevate vertically is high and it presents a huge risk to the system. Sometimes the attackers can move (escalate) horizontally in order to find other accounts that have those privileges, so they can then exploit them to elevate their privileges.

Sources:
Wikipedia Privilege Escalation Article
Github hatRiot – Abusing Tokens
Abusing Token for Privileges on Windows