Ma li c i o us C o d e
233
1. Connect to Service 2. Impersonate a Service to Assign the Process’s Token to Thread 3. Duplicate Privileged Token in Thread 4. Use Privileged Token from Thread for System Exploitation
Service Process Privileged Token
3
Process Token 2 Service Thread 1
Impersonation Token
Local System 4
Attacker
Exhibit 4-19â•… A visual representation of the token-kidnapping process.
The token level of impersonation is very important in token kidnapping, as anonymous and identification-level tokens do not have sufficient privileges to carry out operations on the process’ behalf. The impersonation level allows the thread to perform operations with the permissions of the user running the process. For example, if the program using MSDTC does not have a token level of impersonation, then it cannot operate with the permissions of the network service. Exhibit 4-20 shows the MSDTC token for the network service account having a token level of impersonation. For successful token kidnapping, an impersonated user needs to acquire the permissions of another higher privileged account. The higher privileged accounts are vital as each process and thread have their own access control list. These access control lists define who can access the thread or process and what operations they may perform. The PROCESS_DUP_HANDLE access right is a necessity to duplicate object handles in another process. The object handle duplicated in token kidnapping is the handle to the privileged token. Handle value: 0000071C User: NT AUTHORITY\NETWORK SERVICE Privileges: SeCreateGlobalPrivilege SeImpersonatePrivilege SeChangeNotifyPrivilege Token type: Impersonation Token level: SecurityImpersonation Exhibit 4-20â•… Process tokens after initializing Microsoft Distributed Transaction Coordinator (MSDTC) with SeImpersonate enabled. © 2011 by Taylor & Francis Group, LLC