Windows Feature or Defects? Alexander Korznikov, a security researcher, has published a way to help you get the highest level of access to a network without the need for a password.
The researcher reported in a blog post that a privileged user, such as a local administrator with system privileges, can use the command line to hijack at a session of another logged-in user who has higher privileges.
Korznikov mentioned that his technique is not just about gaining access to one account with higher privileges, but can also be used by system administrators to gain access to accounts with lower privileges.
The researcher says:
“A bank employee has access to one system τιμολόγησης και τα διαπιστευτήριά του για να μπορεί να συνδεθεί. Μια μέρα, έχει αρχίσει να χρησιμοποιεί το σύστημα τιμολόγησης και την ώρα του διαλείμματος, κλειδώσει τη θέση εργασίας του. Στη συνέχεια, ο διαχειριστής του συστήματος μπορεί και κάνει login στη θέση εργασίας του εργαζομένου. Σύμφωνα με την πολιτική της τράπεζας, ο διαχειριστής δεν πρέπει να έχει πρόσβαση στο σύστημα τιμολόγησης, αλλά με two built-in commands in Windows, the administrator can hijack the employee's account, which is still locked. Thus, the administrator can perform malicious actions on the billing system through the employee's account.”
All it takes is about half a minute, according to the PoC video published by the researcher.
https://www.youtube.com/watch?v=VytjV2kPwSg
Korznikov said he tested the bug on Windows 7, Windows 10, Windows Server 2008, and Windows Server 2012 R2, and runs on any supported version of Windows.
Korznikov did not report the matter to Microsoft.
"Everything is done with built-in commands. Each administrator can emulate any logged in user or locally with physics access or remotely via Remote Desktop, ”he said.
"Reporting to Microsoft could take six months to resolve the issue, and I wanted to let them all know as soon as possible."
A Microsoft spokesman said the alleged flaw "is not a security vulnerability as it requires local administrator privileges on the machine."
Feature or defect? The researcher himself has given as a title to his publication “0-day or Feature? Privilege Escalation / Session Hijacking All Windows versions. ” Whether it is or the usefulness of the PoC you attended will be judged by you.
However, if you think of the scenario with the bank described by the researcher, it may well be malicious actions without the consent of the account holder.