HomeWinBuzzer NewsWindows XP Vulnerability Allows Hackers to Transfer Admin Privileges

Windows XP Vulnerability Allows Hackers to Transfer Admin Privileges

A security expert has found a flaw in Windows XP that gives attackers a means to transfer admin account capabilities to a guest account.

-

It seems has yet another Windows vulnerability to deal with. Colombian researcher Sebastian Castro has discovered a critical flaw in the platform. Specifically, attackers could exploit and transfer administrator rights to their own accounts.

Castro has shared the details of the vulnerability on his blog. He says the flaw is in Windows XP and gives hackers means to move admin accounts to their own machines. Ok, Windows XP is a two-decade old platform, but it is still on around 10% of all Windows PCs, many of them in business environments.

Castro tested and demonstrated the flaw by creating a Metaspilot module:

“I decided to write a Metasploit module, by taking as a reference the enable_support_account post module which was developed by my colleague and friend Santiago Díaz. This module exploits the core of the vulnerability mentioned in the above reference, but it is limited to work only in XP/2003 Windows version, by modifying a security descriptors of the support_388945a0 built-in account.”

However, the rid_hijack module automatizes this attack with any existing account on the victim. It could be found in post/windows/manage/rid_hijack.”

Admin Privileges

Castro used the module across several other Windows systems, including Windows Server 2003, Windows 8.1, and . Through the exploit, users can transfer admin account privileges to a Guest account.

“Regardless of the version since XP, Windows uses the Security Account Manager (SAM) to store the security descriptors of local users and built-in accounts. As is mentioned in How Security Principals Work, every account has an assigned RID which identifies it. Different from domain controllers, Windows workstations and servers will store most part of this data in the HKLM\SAM\SAM\Domains\Account\Users key, which requires SYSTEM privileges to be accessed.”

Castro says he reported his findings to Microsoft 10 months ago, but the company ignored him. While that may be because Windows XP is old, it is more likely the company's Group Policy Object solution already prevents this type of attack from being carried out in a real environment.

Either way, it will be nice to hear from Microsoft officially.

SourceCSL
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.