Token Kidnapping in Windows

Microsoft has just released MS09-012 to address this issue in it’s entirety. Get further details here.

 

You have probably heard about the Token Kidnapping vulnerability in Windows and read Microsoft's security advisory on it and are wondering why there isn’t an update for this yet. Although this is not an IIS issue but a Windows issue, the fact that IIS can be used as a vector for this vulnerability increases my concern for seeing an update for this soon. But obviously that does not assuage concerns of our customers and so in the interest of transparency I thought it would be prudent to explain the issue, what the update would do and why it is taking time. Just to make it absolutely clear … Microsoft is going to release an update to address this issue, and the workarounds mentioned in the advisory are still applicable and help mitigate the issue. In the case of IIS, some of these “workarounds” are actually recommended best practices.

The issue

Before there were service accounts, there was LocalSystem and it was too highly privileged to host un-trusted code, no matter how much we try to sandbox it. So we implemented service accounts like NetworkService that did not have all the privileges possessed by the LocalSystem account and a lot of products and features embraced the idea of running under this identity for several reasons. For the sake of simplicity let’s split the users of this feature into 2 buckets, both being valid uses.

1. Isolating un-trusted code.
Some products like Internet Information Services (IIS) need the ability to host un-trusted user code running inside their worker processes. In the case of a buffer overrun or any other error, we would like to ensure that the user code does not have high enough privileges to affect the entire system and are sufficiently sand-boxed by the worker process identity.

2. Following least privilege practices.
Other products followed the practices of least privilege to harden the security of their features.

These service accounts need a client impersonation privilege (SeImpersonatePrivilege), so that the process or service can run as a specific authenticated user if need be. The act of “impersonation” leaves a “token” that identifies this authenticated user in the process or service. The two valid uses above have different characteristics though. The first would not expect privileged users like Administrators to be impersonated while the second might be prone to it. This leaves us with a scenario where 2 different processes / services running as the same service account identity would have very different sort of tokens in them. In some cases these tokens may be long-lived or it would be easy to perform an action that would result in a privileged token being acquired by a process or service. Also, these different processes and services are not wholly isolated from each other in every case. The combination of these two factors gives rise to an issue where an un-trusted code being hosted in a process running with a service account identity (say in group 1 above) would now be able to access a privileged token from a process running with the same service account identity (likely in group 2 above) leading to an elevation of privilege.

You can read more about this in the finder’s document on  http://www.argeniss.com/research/TokenKidnapping.pdf

The change

There are different levels at which changes would be needed to address this issue.

1. Service isolation.
The first issue to address is to make sure that two services running with the same identity not be able to access each other’s tokens freely. This concern has been mostly addressed with service hardening done in Windows Vista and above. There are some minor changes that would need to be done to strengthen service hardening to close some gaps identified during our investigation of this issue.

2. Processes running as service accounts.
There are cases where the service hardening work done above does not apply. In these cases changes need to be made to prevent processes from holding on to privileged tokens or from being induced to acquire one by unprivileged means.

The difficulty

 

Both the changes above come with their own set of challenges.

1. Service isolation.

The changes required for to address concerns in this space need to occur at a very low level in the OS. As a result, it has a high impact on the system and requires rigorous testing on the part of multiple teams within Microsoft.

2. Processes running as service accounts.

The changes required here are even more complex, mostly because of design decisions and dependencies by various other components on the component in question. Software engineers read “design” and “dependencies” in the statement above and wince … and rightfully so. Even if the issue does not pervade a lot of components (as is the case here) and affects just one component that a lot of other components depend on, or if the issue is ingrained in the design of the component, the changes required are difficult to engineer. Not impossible, just difficult. And the impact of any of these changes would be pervasive and would require coordination between several different teams at Microsoft to address. These teams are going through great lengths at identifying these components, making sure the fixes are adequate and not just a band-aid and testing every component to make sure that no undesired behavior is introduced in the process.

Conclusion

Microsoft is committed to providing a comprehensive and high quality update with minimal user impact for this issue. The nature of this issue requires thoroughness on our part for issuing an update. The workarounds provided in the advisory are still applicable in mitigating the issue.

Published Tuesday, October 14, 2008 12:02 AM by naziml

Comments

# re: Token Kidnapping in Windows

Tuesday, October 14, 2008 9:33 PM by DanielVL

Nice blog entry.

# re: Token Kidnapping in Windows

Sunday, November 9, 2008 9:46 AM by islam

This will be really nice with The changes required for to address concerns in this space need to occur at a very low level in the OS. As a result, it has a high impact on the system and requires rigorous testing on the part of multiple teams within Microsoft.

<a target="_blank" href="http://www.islamkent.com">islam</a> - <a target="_blank" href="http://www.islami-sohbet.net">islami sohbet</a>

# re: Token Kidnapping in Windows

Wednesday, November 12, 2008 4:49 AM by Pharm46

Very nice site!

# re: Token Kidnapping in Windows

Wednesday, November 12, 2008 4:49 AM by Pharm93

Very nice site!

<a href="training.cvc4.org/.../1.html">cheap viagra</a>

# re: Token Kidnapping in Windows

Wednesday, November 12, 2008 4:49 AM by Pharm8

Very nice site!

[url=training.cvc4.org/.../2.html]cheap cialis[/url]

# re: Token Kidnapping in Windows

Wednesday, November 12, 2008 4:49 AM by Pharm21

Very nice site!

# re: Token Kidnapping in Windows

Monday, December 1, 2008 9:44 PM by james

it's nice site <a href=" www.scam.com/member.php ">adipex cheap</a>  >:))

# re: Token Kidnapping in Windows

Tuesday, December 2, 2008 1:51 AM by Maggie Thompson

Schweizer [url=www.lookrichforless.com/Swiss-replica-rolex-watch.php]Rolex replica[/url] ziemlich teuer. Leute sollten gerade die Wort-Replik nicht lesen; sie sollten etwas Wert auch geben den Wort Schweizern, die zu ihm angebracht werden, der ganzes unterscheidet. Wenn eine Replik Rolex in der Schweizerform in Handarbeit gemacht wird, ist das Resultat erstaunlich.

# re: Token Kidnapping in Windows

Tuesday, December 2, 2008 1:51 AM by sonia

Schweizer [url=www.lookrichforless.com/Swiss-replica-rolex-watch.php]Rolex replica[/url] ziemlich teuer. Leute sollten gerade die Wort-Replik nicht lesen; sie sollten etwas Wert auch geben den Wort Schweizern, die zu ihm angebracht werden, der ganzes unterscheidet. Wenn eine Replik Rolex in der Schweizerform in Handarbeit gemacht wird, ist das Resultat erstaunlich.

# re: Token Kidnapping in Windows

Thursday, December 11, 2008 7:30 AM by xanax

I bookmarked this guestbook. Thank you for good job!

<a href="www.planetphotoshop.com/.../member.php xanax</a>

<a href="www.planetphotoshop.com/.../member.php

<a href="www.planetphotoshop.com/.../member.php

<a href="www.planetphotoshop.com/.../member.php

<a href="www.planetphotoshop.com/.../member.php

# re: Token Kidnapping in Windows

Monday, December 22, 2008 4:30 AM by Jeff Paul

This blog Is very informative , I am really pleased to post my comment on this blog . It helped me with ocean of knowledge so I really belive you will do much better in the future . Good job web master .

# re: Token Kidnapping in Windows

Sunday, January 4, 2009 12:51 PM by islami sohbet

I like this entry but I am seeing lots of many spammers and I couldnt read all message. Thanks.

# re: Token Kidnapping in Windows

Friday, January 9, 2009 11:21 AM by battery

http://www.batteryfast.com/

http://www.batteryfast.co.uk/

# re: Token Kidnapping in Windows

Friday, January 9, 2009 11:22 AM by battery

http://www.batteryfast.com/

http://www.batteryfast.co.uk/

# re: Token Kidnapping in Windows

Saturday, January 17, 2009 8:55 AM by Netlog

thanks you..

# re: Token Kidnapping in Windows

Saturday, January 17, 2009 8:55 AM by Netlog

??? whatttt

# re: Token Kidnapping in Windows

Saturday, January 24, 2009 12:57 PM by netlog

thanks

# re: Token Kidnapping in Windows

Saturday, January 24, 2009 12:58 PM by netlog

thankss

# re: Token Kidnapping in Windows

Saturday, January 24, 2009 12:59 PM by Chat

<a href="http://www.netyap.com" title="Chat" target="_blank">Chat</a>

# re: Token Kidnapping in Windows

Saturday, January 24, 2009 1:00 PM by Chat

thankssssss

# re: Token Kidnapping in Windows

Saturday, January 24, 2009 1:01 PM by chat

thanks you

# re: Token Kidnapping in Windows

Saturday, January 24, 2009 1:01 PM by chat

oooooooooooooooooooo

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:26 PM by Pharm15

Very nice site!

<a href="training.cvc4.org/.../1.html">cheap viagra</a>

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:26 PM by Pharm92

Very nice site!

[url=training.cvc4.org/.../2.html]cheap cialis[/url]

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:26 PM by Pharm93

Very nice site!

[LINK training.cvc4.org/.../3.html]cheap tramadol[/LINK]

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:26 PM by Pharm86

Very nice site!

training.cvc4.org/.../4.html

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:27 PM by Pharm60

Very nice site!

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:27 PM by Pharm47

Very nice site!

<a href="training.cvc4.org/.../1.html">cheap viagra</a>

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:27 PM by Pharm20

Very nice site!

[url=training.cvc4.org/.../2.html]cheap cialis[/url]

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:27 PM by Pharm2

Very nice site!

[LINK training.cvc4.org/.../3.html]cheap tramadol[/LINK]

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:27 PM by Pharm37

Very nice site!

training.cvc4.org/.../4.html

# re: Token Kidnapping in Windows

Thursday, January 29, 2009 3:27 PM by Pharm44

Very nice site!

# re: Token Kidnapping in Windows

Friday, January 30, 2009 5:14 PM by chat

thanbsk you sites

# re: Token Kidnapping in Windows

Saturday, January 31, 2009 8:34 AM by yahoo chat

thanks nazim'

# re: Token Kidnapping in Windows

Saturday, January 31, 2009 5:40 PM by yahoo online chat

thankss's nazim ' m

# re: Token Kidnapping in Windows

Saturday, January 31, 2009 5:40 PM by mirc scripts

thanks yo ''''

# re: Token Kidnapping in Windows

Saturday, January 31, 2009 5:41 PM by chat rooms

thanks ' You 's

# re: Token Kidnapping in Windows

Sunday, February 1, 2009 8:15 AM by sohbet odalari

very good

# re: Token Kidnapping in Windows

Tuesday, February 24, 2009 5:25 PM by islami forum

It was really a good subject but I cant see many description, I need more explanation, thanks.

# re: Token Kidnapping in Windows

Friday, February 27, 2009 4:38 PM by mamican19

thank's you.

# re: Token Kidnapping in Windows

Friday, October 30, 2009 2:50 PM by capturetr

That’s great! I’m looking forward to it.

# re: Token Kidnapping in Windows

Friday, October 30, 2009 2:51 PM by capturetr

That’s great! I’m looking forward to it.

Leave a Comment

(required) 
(required) 
(optional)
(required) 
Powered by Community Server (Commercial Edition), by Telligent Systems