If you're new here, you may want to subscribe to my RSS feed. So that you can read the latest updates about Web2.0 tools, Making Money Online, Tips in SEO, Ajax and many more. Thanks for visiting ProgramimiCOM!

Bored once again.

Summary: While a user, at any security membership level, is logged in locally, using the “run as” feature, it can kill all of the processes running under the user who initiated the “run as” feature, even if the initiating user has a security membership level higher than the user initiating the killing action under “run as”. The kill is performed using the taskkill.exe application which is built into Windows XP.

General Notes:
1. This issue is, of course, mostly relevant to be exploited while running using a malicious binary file and less in an interactive way by a local user.

2. I will refer to the user initiated the “run as” feature as the “host” and to the user being run “inside” “run as” as the “guest”.

3. This can be done when either using the terminal based “Fast User Switching” ((FUS), regardless if it is the console or terminal based) or the regular local console (only one user can be logged-in locally at a time).

4. A contributing factor to the success of the attack is that any user with a “users” group membership only, can view a list of processes being currently run by other users (although it is NOT possible using the regular “Task Manager”) using the built-in utility
tasklist.exe (”tasklist /v” adds the user name attached to each process, and then ”
tasklist /fi “username eq computer_name\user_name” ” to filter out the processes
of a specific user) and an MS utility like “process explorer”.

5. This vulner is active only with the combination of “run as” and “taskkill”. Regular usage of taskkill will not allow the attack (an “access is denied” error message will appear).

6. The guest can kill process of the host, regardless of the host’s security membership level - be it identical to the guest or higher.

7. Using the older version of taskkill, tskill.exe, was not successful and the attack failed under the same conditions.

8. While using FUS - only the host user’s processes can be killed, not process of the any other currently logged-in FUS users.

9. One factor that limits possible attack vectors is that “run as” can’t be fully automated, since the password can’t be stored in advance and it must be typed in with every activation of the command.
This can be defeated if one finds a way to store the password within a script or binary and activate the password input during run-time.

10. One factor that empowers the possible success of this attack is that taskkill.exe is located under c:\windows\system32 which is included in the “path” environment variable, thus allowing the execution of this utility regardless of the current path of the attacker in the file structure of the computer.

11. The attack was successful if the “run as” command was started either by the GUI or from a command line.
Possible Abuses: Any user that will use “run as”, as a kind of a “sandbox” for running suspicious binaries or accessing the internet, believing it will defend him/her by using another user’s identity, most
likely one with lower security rights and permissions, will be exposed to a denial of service attack that can kill any of its running applications and processes, up to its entire logon sessions (explorer.exe) which will
prompt him/her to shutdown the computer (which can happen if the user will not be careful).

Reproduction:
Bugging steps:
1. Log in to the computer as a local administrator.

2. Create a user that is a member of only the local “users” group.

3. I am not sure if the following step is needed – log off, log in as the regular user, to create its profile, then log off and login again as the administrator.

Actual steps:
1. Create a desktop shortcut for cmd.exe
2. Run internet explorer (it will be used to be killed later).
3. Right mouse click the cmd.exe shortcut and choose “run as”.
4. Select the option “the following user” and enter the regular user’s name and password and click “OK”.
5. run the following command to list all of the current running processes with their relevant owner accounts: tasklist /v /fo list
6. After spotting the desired user, administrator in our case, run the following command to filter only the processes run by this user: tasklist /fi “username eq administrator”
7. To kill a specific process you can kill it either by process id (PID) or by process/image name:
taskkill /pid number_of_desired_pid or taskkill /im iexplore.exe Notice that “internet explorer” is gone now (from both the GUI and the list of running processes).
8. Run, as the host, the administrator user, internet explorer again and also run calculator (calc.exe) as well.
9. Now, we will run the following command to kill ALL of the administrator processes:
taskkill /fi “username eq administrator”
10. You can notice the following things happen:
A. The cmd window lists all of the administrator process that was killed, listed by their PID.
B. The internet explorer and calculator are killed.
C. Due to the killing of explorer.exe – the logoff/restart/shutdown window is presented. If the OS is using the “welcome screen” the “stand by” option is the default. If the OS is using the regular console, “shut down” is the default option, and careless user can shut down the machine.

Will do more digging on this and let you know.

Thanks Eitan