Secondary logon is a windows service that allows administrators to authenticate and perform administrative tasks with a non-administrator account. However this service fails to sanitize handles during the creation of a new process which could allow a standard user to abuse this in order to perform privilege escalation as he can duplicate a system service thread pool handle. This bug was originally discovered by James Forshaw and the full technical details are explained here.

This vulnerability affects the following Microsoft products:

  • Windows Vista
  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows 2008 Server
  • Windows 2012 Server

Metasploit

Metasploit Framework has a specific module for this vulnerability however it doesn’t seem to return a Meterpreter session.

exploit/windows/local/ms16_032_secondary_logon_handle_privesc

 

Metasploit - Secondary Logon Handle Module
Metasploit – Secondary Logon Handle Module

PowerShell

If RDP is enabled on the system then a PowerShell script which was developed by Ruben Boonen based on the discovery of James Forshaw could be dropped and executed in order to create an elevated command prompt as SYSTEM. Details of how to use the script and how elevation is achieved can be seen in the screenshots below:

PowerShell - Secondary Logon Handle Script
PowerShell – Secondary Logon Handle Script

From the moment that this script will be executed a series of tasks will be performed as well in order to exploit the bug:

PowerShell - Secondary Logon Handle Script Operation
MS16-032 – PowerShell Script Operation
PowerShell - MS16-032 Elevated Command Prompt
PowerShell – MS16-032 Elevated Command Prompt

Custom Binary

Ben Campbell has created a custom binary which reproduces the issue and the activities of the PowerShell script and can spawn a command prompt as system.

MS16-032 - Custom Binary
MS16-032 Custom Binary
MS16-032 - Elevated Command Prompt
MS16-032 – Elevated Command Prompt

Meterpreter

It is also possible to get a Meterpreter session as an authenticated user by modifying the PowerShell script in order to call a custom Metasploit payload instead of a command prompt.

# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
$CallResult = [Advapi32]::CreateProcessWithLogonW(
"user", "domain", "pass",
0x00000002, "C:\pentestlab2.exe", "",
0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo)

From the moment that this script will run the payload will be executed with SYSTEM privileges and a Meterpreter session will returned back.

Meterpreter Session - Secondary Logon Handle
Meterpreter Session – Secondary Logon Handle
Meterpreter - SYSTEM PrivilegesSecondary Logon Handle
Meterpreter System Privileges

Conclusion

This vulnerability is affecting all versions of windows from Vista to Windows 10 including server editions and in order for the exploitation to be possible as the PowerShell script indicates the following requirements needs to be in place:

  • Target system needs to have 2+ CPU Cores
  • PowerShell v2.0 and above must be running

Microsoft has a patch to address this vulnerability so before the execution of any scripts a check to determine if a patch is missing is necessary:

C:\Users\pentestlab>wmic qfe list | find "3139914"

Problems:

It doesn’t seem that it is possible to get a Meterpreter session without modifying either the existing Metasploit module, the PowerShell script or the custom binary to call a specific payload instead of the cmd.

Also it should be noted that if the PowerShell script or the custom binary are executed remotely from a shell they will fail to capture any Threads and therefore elevation would not be feasible without running these as an authenticated user directly from the system.

References

https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html

https://www.exploit-db.com/exploits/39719/

https://github.com/khr0x40sh/ms16-032

https://www.rapid7.com/db/modules/exploit/windows/local/ms16_032_secondary_logon_handle_privesc

Leave a comment