The researcher said in a blog post that a privileged user, such as a local administrator with system rights, can use the command line to do hijack in a session of another logged in user who has higher privileges.
Korznikov said his technique is not only to gain access to an account with higher privileges, but can also be used by system administrators to access accounts with lower entitlements.
The researcher says:
"A bank clerk has access to an invoicing system and its credentials to be able to connect. One day, it has begun uses the invoicing system and at break time, lock his workplace. The system administrator can then login to the employee's workplace. According to the bank's policy, the administrator should not have access to the invoicing system, but with two built-in commands in Windows, the administrator can hijack the employee's account, which is still locked. Thus, the administrator can perform malicious actions on the billing system through the employee's account.”
All it takes is about half a minute, according to the PoC video published by the researcher.
Korznikov did not report the matter to Microsoft.
"Everything is done with built-in commands. "Any administrator can emulate any logged-in user either locally with physical access or remotely via Remote Desktop," he said.
"Reporting to Microsoft could take six months to resolve the issue, and I wanted to let them all know as soon as possible."
A Microsoft spokesman said the alleged flaw "is not a security vulnerability as it requires local administrator privileges on the machine."
Feature or defect? The researcher himself has given as a title to his publication “0-day or Feature? Privilege Escalation / Session Hijacking All Windows versions. ” Whether it is or the usefulness of the PoC you attended will be judged by you.
However, if you think of the scenario with the bank described by the researcher, it may well be malicious actions without the consent of the account holder.