A security researcher has detailed a way to log into any account on the same computer, even without knowing its password. The trick works on all Windows versions, doesn’t require special privileges, and the researcher can’t figure out if it’s a Windows feature or security flaw.
The researcher, Alexander Korznikov, calls the attack a “privilege escalation and session hijacking.” The attack can be performed using physical access to the device, but also via an RDP session on a hacked machine, escalating the attacker’s access to other (higher-privileged) accounts.
The general idea behind the attack is that any user, regardless of his role, can use CLI commands built into all Windows versions to escalate his access and switch to any other active user session on the PC.
The targeted account must be logged in on the same machine, otherwise, the attack won't work.
In normal conditions, this would imply the attacker having to know the account’s password. But not in Korznikov’s attack.
The attacker, from his own account, can execute some cmd.exe commands and then select the active user session he wants to log into, no password required. This attack works with local user sessions, but also with RDP sessions.
The whole attack takes about one minute to perform and doesn’t include many steps, meaning it’s easy to memorize.
Below are three videos demoing the attacks. The first shows how to take over a Windows 7 user session via the Task Manager & cmd.exe, the second only via cmd.exe, while the third shows the hijacking of a Windows Server 2012 account via service creation.
Below is an example of how an attacker could use this attack, as envisioned by Korznikov himself.
Some bank employee have access to billing system, and it's credentials to login.
One day, he come to work, logging in to the billing system and start to work. At lunch time he will lock his workstation, and out to lunch.
Then, system administrator gets to employee's workstation, and logs in with his administrator's account.
According to the bank's policy, administrator's account should not have access to the billing system, but with couple of built-in commands in windows, this system administrator will hijack employee's desktop which he leaved locked. From now, sysadmin can perform malicious actions in billing system as billing employee account.
Because the attack uses local built-in Windows tools, the attacker doesn’t have to download other malware on the target’s machine, an operation that sometimes triggers alarm bells on a company’s security systems.
Korznikov discovery isn’t entirely new but appears to be an expanded version of an older attack. Back in 2011, Benjamin Delpy, a security researcher for the Bank of France, detailed the very same user session hijacking technique on his blog, albeit in French.
Taking into account his blog post's age, it is highly unlikely that Microsoft didn't find out about this issue in the past six years. It's very likely that they didn't consider it a security flaw, and deemed this was how Windows was supposed to behave.