Secondary Logon Handle
Secondary logon is a windows service that allows administrators to authenticate and perform administrative tasks with a non-administrator account. However this service fails to sanitize handles during the creation of a new process which could allow a standard user to abuse this in order to perform privilege escalation as he can duplicate a system service thread pool handle. This bug was originally discovered by James Forshaw and the full technical details are explained here.
This vulnerability affects the following Microsoft products:
- Windows Vista
- Windows 7
- Windows 8.1
- Windows 10
- Windows 2008 Server
- Windows 2012 Server
Metasploit Framework has a specific module for this vulnerability however it doesn’t seem to return a Meterpreter session.
If RDP is enabled on the system then a PowerShell script which was developed by Ruben Boonen based on the discovery of James Forshaw could be dropped and executed in order to create an elevated command prompt as SYSTEM. Details of how to use the script and how elevation is achieved can be seen in the screenshots below:
From the moment that this script will be executed a series of tasks will be performed as well in order to exploit the bug:
Ben Campbell has created a custom binary which reproduces the issue and the activities of the PowerShell script and can spawn a command prompt as system.
It is also possible to get a Meterpreter session as an authenticated user by modifying the PowerShell script in order to call a custom Metasploit payload instead of a command prompt.
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED $CallResult = [Advapi32]::CreateProcessWithLogonW( "user", "domain", "pass", 0x00000002, "C:\pentestlab2.exe", "", 0x00000004, $null, $GetCurrentPath, [ref]$StartupInfo, [ref]$ProcessInfo)
From the moment that this script will run the payload will be executed with SYSTEM privileges and a Meterpreter session will returned back.
This vulnerability is affecting all versions of windows from Vista to Windows 10 including server editions and in order for the exploitation to be possible as the PowerShell script indicates the following requirements needs to be in place:
- Target system needs to have 2+ CPU Cores
- PowerShell v2.0 and above must be running
Microsoft has a patch to address this vulnerability so before the execution of any scripts a check to determine if a patch is missing is necessary:
C:\Users\pentestlab>wmic qfe list | find "3139914"
It doesn’t seem that it is possible to get a Meterpreter session without modifying either the existing Metasploit module, the PowerShell script or the custom binary to call a specific payload instead of the cmd.
Also it should be noted that if the PowerShell script or the custom binary are executed remotely from a shell they will fail to capture any Threads and therefore elevation would not be feasible without running these as an authenticated user directly from the system.