Castro has shared the details of the vulnerability on his blog. He says the flaw is in Windows XP and gives hackers means to move admin accounts to their own machines. Ok, Windows XP is a two-decade old platform, but it is still on around 10% of all Windows PCs, many of them in business environments. Castro tested and demonstrated the flaw by creating a Metaspilot module: “I decided to write a Metasploit module, by taking as a reference the enable_support_account post module which was developed by my colleague and friend Santiago Díaz. This module exploits the core of the vulnerability mentioned in the above reference, but it is limited to work only in XP/2003 Windows version, by modifying a security descriptors of the support_388945a0 built-in account.” However, the rid_hijack module automatizes this attack with any existing account on the victim. It could be found in post/windows/manage/rid_hijack.”
Admin Privileges
Castro used the module across several other Windows systems, including Windows Server 2003, Windows 8.1, and Windows 10. Through the exploit, users can transfer admin account privileges to a Guest account. “Regardless of the version since XP, Windows uses the Security Account Manager (SAM) to store the security descriptors of local users and built-in accounts. As is mentioned in How Security Principals Work, every account has an assigned RID which identifies it. Different from domain controllers, Windows workstations and servers will store most part of this data in the HKLM\SAM\SAM\Domains\Account\Users key, which requires SYSTEM privileges to be accessed.” Castro says he reported his findings to Microsoft 10 months ago, but the company ignored him. While that may be because Windows XP is old, it is more likely the company’s Group Policy Object solution already prevents this type of attack from being carried out in a real environment. Either way, it will be nice to hear from Microsoft officially.
