Hijacking Windows user sessions with built-in command line tools

Did you know that by using built-in command line tools, any user with system rights and permissions (usually a local administrator) can hijack the session of any logged-in Windows user without knowing that user’s password? He or she can perform the action if they have physical access to the target’s machine, but also remotely via Remote Desktop Protocol (RDP).

The capability is not exactly secret, as it has been pointed out by a French security researcher some six years ago, but researcher Alexander Korznikov did not know that when he detailed it again a few days ago.

He stumbled on it when he tried to connect to another user’s session via the Users tab in Windows Task Manager, and succeeded in doing so without being asked for the password.

After perusing some Microsoft documentation, he figured out that the prerequisite for this is to have Full Control access permission or Connect special access permission, and that – contrary to what Microsoft says – you don’t have to specify a password in the parameter.

He believed this to be a security vulnerability, but Microsoft does not deem it so, because to be exploited it requires the attacker to have local admin rights on the machine.

Korznikov provided a few video demos of a successful session hijacking (via Task manager, service creation, or command line), as well as PoC exploit steps. Another researcher confirmed that the exploitation works on every Windows version, even if the workstation is locked.

While security professionals debate the severity of this flaw/feature, Korznikov delineated how it can be easily misused by a malicious insider: a sysadmin in a bank can log into an employee’s locked workstation while the employee is away for lunch, hijack the employee’s session, and use it to perform malicious actions in the billing system (to which he usually has no access).