Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Patches

MS09-012: Fixing “Token Kidnapping”

This was the headline that grabbed my attention this morning on the Microsoft Security & Defence Blog. Had Microsoft finally patched the token impersonation flaw (or feature as Microsoft regard it) that is used by the Incognito tool to allow a compromised system level account to impersonate local or domain users. In short no, and I say that with mixed feelings.

As a penetration tester, I can breath a sigh of relief and know that this attack vector is still open. As a defender, the chance that Microsoft had changed the way this functionality works to block the attack was a welcome update to protect our systems. Still, you can’t expect Microsoft to repair something they see as a feature and the way things should work. Some things aren’t meant to be repaired I guess.


Just to make sure that Microsoft hadn’t broken the Incognito functionality while messing with the way tokens work, I ran a couple of tests against a Windows XP service pack 2 machine.

I started off with an unpatched version and ran the trusty MS08-067 exploit to get a meterpreter shell.

./msfcli exploit/windows/smb/ms08_067_netapi payload=windows/meterpreter/bind_tcp LHOST= RHOST= E

This functioned as you’d expect and resulted in a meterpreter shell running under the Local System Account. After running the “use incognito” command I listed the tokens using “list_tokens -u”.


Taking the local account “pentestuser” as the token to impersonate, I ran “impersonate_token PENTEST-3C73D9Cpentestuser”


Success, as expected on the unpatched system. Next up, I patched the system, rebooted and repeated the same msfcli exploit (MS08-067). This time however the exploit failed on the first run as it couldn’t isolate the exact service pack version. Metasploit listed it as Service Pack 2+ (which is technically correct). Re-running the command completed the exploit however.


Even after the patch everything seems fine in the token list.


The final test, impersonation of the PENTEST-3C73D9Cpentestuser user. As before this went off without a hitch, giving us access to the local user without error.


Microsoft have patched the flaws listed in KB952004 without effecting the Incognito tool (or the implementation of the tool within Metasploit). Good for attackers, bad for defenders. But you can’t always have it both ways can you. I doubt that we’ll be seeing a patch against the token impersonation flaw used in incognito anytime soon, if at all.

I’m heading to Blackhat Europe in a few hours (courtesy of a last minute press registration). If you’re there feel free to drop me a line and buy me a drink 😉 — > contact [at] c22 [dot] cc