TITLE:
Flaw in Microsoft Windows SAM Processing Allows Continued Administrative Access Using Hidden Regular User Masquerading After Compromise SUMMARY AND IMPACT:
All versions of Microsoft Windows allow real-time modifications to the Security Accounts Manager (SAM) that enable an attacker to create a hidden administrative backdoor account for continued access once a system has been compromised. Once an attacker has compromised a Microsoft Windows computer system using any method, they can either leave behind a regular user or hijack a known user account (Such as ASPNET). This user account will now have all of the rights of the built-in local administrator account from local or remote connections. The user will also share the Administrator's desktop and profile. When inspected by system administrators, the regular user always looks like it is just part of the built-in user's group. The attacker can also make the regular user account hard to detect by creating a user with the username of "ALT-0160", for blank space. Events in the audit log pertaining to the hidden account will be created if the system administrator has enabled auditing, but the user name fields are all blank. Once a system has been compromised, the attacker would need to ensure the Task Scheduler service is enabled only when starting the method. This method can be used to masquerade as any user account on the computer system. DETAILS:
Use the following steps to exploit this vulnerability.Read more: ExploitDevelopment.com
Flaw in Microsoft Windows SAM Processing Allows Continued Administrative Access Using Hidden Regular User Masquerading After Compromise SUMMARY AND IMPACT:
All versions of Microsoft Windows allow real-time modifications to the Security Accounts Manager (SAM) that enable an attacker to create a hidden administrative backdoor account for continued access once a system has been compromised. Once an attacker has compromised a Microsoft Windows computer system using any method, they can either leave behind a regular user or hijack a known user account (Such as ASPNET). This user account will now have all of the rights of the built-in local administrator account from local or remote connections. The user will also share the Administrator's desktop and profile. When inspected by system administrators, the regular user always looks like it is just part of the built-in user's group. The attacker can also make the regular user account hard to detect by creating a user with the username of "ALT-0160", for blank space. Events in the audit log pertaining to the hidden account will be created if the system administrator has enabled auditing, but the user name fields are all blank. Once a system has been compromised, the attacker would need to ensure the Task Scheduler service is enabled only when starting the method. This method can be used to masquerade as any user account on the computer system. DETAILS:
Use the following steps to exploit this vulnerability.Read more: ExploitDevelopment.com
Posts
0 comments:
Post a Comment