New (but Old) Technique Hijacks User Sessions on All Windows Versions

Discussion in 'malware problems & news' started by itman, Mar 19, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,302
    Location:
    U.S.A.
    https://www.bleepingcomputer.com/ne...ijacks-user-sessions-on-all-windows-versions/
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,642
    Location:
    Europe then Asia
    Not sure to get it?

    This "attacks" can be done only via the admin account?
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,602
    It's more or less password bypass.
    Somewhere else I also read a user has to be admin. Can't find the article ATM.

    It basically means that user should log off when leaving computer - locking it isn't enough.
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,642
    Location:
    Europe then Asia
    I see, thank you. At first, it reminded me the old Win98/xp login password type of bypass. And as you said , locking isn't enough , i always log off. I lock only when i have to leave my machine less than 30sec or when i have it in sight.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,302
    Location:
    U.S.A.
    This explains the attack in more detail:
    http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,768
    Location:
    localhost
    Sounds like the author of the article discovered the hot water. If you created a system admin account on the machine then you have total control of the system. Always been like this. o_O
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,302
    Location:
    U.S.A.
    Correct. But any changes made would be traced backed to that admin account.

    What the author is stating by this:
    Is that the admin can hijack the logged on user desktop. At this point, any system activity/changes are traced to that user. That should not be allowed.

    -EDIT- Also note that this vulnerability is not the same as the common RDP scenario in corp. environments where an admin can access a remote PC when a user is currently logged on. Or, the forced logoff of network connected endpoints which again is quite common.

    Bottom line - if a user session is in locked mode, no one should be able to access that session other than the logged on user.
     
    Last edited: Mar 20, 2017
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,642
    Location:
    Europe then Asia
    In corporate environment, no way i let a user workstation out of my reach. They mess thing enough already. Back in the days, i decided myself what should be the log-in password of the users.
    They are here to work, so they have nothing to hide from the admin.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,302
    Location:
    U.S.A.
    Has nothing to do with "hiding from the admin." It's to prevent the admin from committing fraud and blaming it on the user whose account he hacked. This is of upmost importance in any subsequent legal action that might be pursued. All an attorney has to demonstrate is that this activity is possible and any case against an employee would be dismissed.
     
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,642
    Location:
    Europe then Asia
    The admin is all powerful in a company even above the CEO, if the admin want abuse/ruin the company, he doesn't need to get the password of the other users.
    at worst , he just have to reinstall the OS of the employee's machines pretending some issues on the machine, put a keylogger, exclude the logger from the security solution (if any) ,and when the job is done, erase his traces. Nobody will know and he can even blame the employee because "employees has no clues of security and are know to open every mails and attached files they see."
     
Loading...