Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Microsoft

Microsoft Bug Bounties – Podcast interview with Katie Moussoris


As most people have already read (unless you’re still under that rock), Microsoft made a landmark announcement yesterday regarding its new bug bounty programs. If you’ve not already read about the news I won’t try to rehash what’s already been said (detailed information is available in the links below). However in a case of “right place, right time”, Martin McKeay and myself managed to chat to Katie Moussouris (the driver behind these programs) as part of the FIRST conference podcast series.

Hopefully this open and frank discussion helps to clear up any questions people may have forming about the programs and their effect on the InfoSec community at large. Microsoft always do things in a unique way, and these bug bounty programs are unique in many ways. With more emphasis on defense and really talking about fixing the problems, the programs certainly looks interesting and another step along the path to making things more secure… hopefully

Microsoft’s announced bug bounties:

  • Mitigation Bypass Bounty
  • BlueHat Bonus for Defense
  • Internet Explorer 11 Preview Bug Bounty

The podcast can be found here –> http://media.first.org/podcasts/FIRST2013-Katie-Moussoris-Microsoft.mp3


MS09-012: Fixing “Token Kidnapping”

This was the headline that grabbed my attention this morning on the Microsoft Security & Defence Blog. Had Microsoft finally patched the token impersonation flaw (or feature as Microsoft regard it) that is used by the Incognito tool to allow a compromised system level account to impersonate local or domain users. In short no, and I say that with mixed feelings.

As a penetration tester, I can breath a sigh of relief and know that this attack vector is still open. As a defender, the chance that Microsoft had changed the way this functionality works to block the attack was a welcome update to protect our systems. Still, you can’t expect Microsoft to repair something they see as a feature and the way things should work. Some things aren’t meant to be repaired I guess.


Just to make sure that Microsoft hadn’t broken the Incognito functionality while messing with the way tokens work, I ran a couple of tests against a Windows XP service pack 2 machine.

I started off with an unpatched version and ran the trusty MS08-067 exploit to get a meterpreter shell.

./msfcli exploit/windows/smb/ms08_067_netapi payload=windows/meterpreter/bind_tcp LHOST= RHOST= E

This functioned as you’d expect and resulted in a meterpreter shell running under the Local System Account. After running the “use incognito” command I listed the tokens using “list_tokens -u”.


Taking the local account “pentestuser” as the token to impersonate, I ran “impersonate_token PENTEST-3C73D9Cpentestuser”


Success, as expected on the unpatched system. Next up, I patched the system, rebooted and repeated the same msfcli exploit (MS08-067). This time however the exploit failed on the first run as it couldn’t isolate the exact service pack version. Metasploit listed it as Service Pack 2+ (which is technically correct). Re-running the command completed the exploit however.


Even after the patch everything seems fine in the token list.


The final test, impersonation of the PENTEST-3C73D9Cpentestuser user. As before this went off without a hitch, giving us access to the local user without error.


Microsoft have patched the flaws listed in KB952004 without effecting the Incognito tool (or the implementation of the tool within Metasploit). Good for attackers, bad for defenders. But you can’t always have it both ways can you. I doubt that we’ll be seeing a patch against the token impersonation flaw used in incognito anytime soon, if at all.

I’m heading to Blackhat Europe in a few hours (courtesy of a last minute press registration). If you’re there feel free to drop me a line and buy me a drink 😉 — > contact [at] c22 [dot] cc