Microsoft Windows – ‘SeImpersonatePrivilege’ Local Privilege Escalation

Dmitry Bystrov

10 months ago

Situation

Windows local Privilege Escalation with SeImpersonatePrivilege.
There is a possibility of local privileges escalation up to SYSTEM privilege on Windows Operation systems with a number of technics with a common "Potato" naming.

The following public articles describe the technics in detail:

Rotten Potato:
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ - Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM
- https://github.com/breenmachine/RottenPotatoNG
Juicy Potato:
- https://ohpe.it/juicy-potato/ - Juicy Potato (abusing the golden privileges)
- https://github.com/ohpe/juicy-potato
- https://github.com/ohpe/juicy-potato/issues/4 - Build 1809 patched JuicyPotato
- https://decoder.cloud/2018/08/10/juicy-potato/ - Juicy Potato (abusing the golden privileges)
- https://decoder.cloud/2018/10/01/fear-the-rotten-juicy-potato-attack/ - Fear the Rotten/Juicy potato attack?
- https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/ - No more rotten/juicy potato?
- https://www.youtube.com/watch?v=ur2HPyuQlEU - HIP19: whoami priv - show me your privileges and I will lead you to SYSTEM - A. Pierini
RogueWinRM:
- https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/ - We thought they were potatoes but they were beans (from Service Account to SYSTEM again)
PrintSpoofer:
- https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ - PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019
RoguePotato:
- https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/ - No more JuicyPotato? Old story, welcome RoguePotato!
juicy_2:
- https://decoder.cloud/2020/05/30/the-impersonation-game/ - The impersonation game

Impact

A person might get escalated privileges that allow performing any operations on the server.

Call to Action

Starting from Plesk Obsidian 18.0.32 all new Plesk installations are fully protected from this kind of technics.

During upgrade to Plesk Obsidian 18.0.32 and later most of the servers are also protected automatically:

Plesk no longer assigns the system privilege "Replace a process level token" to IIS users created by Plesk. We believe this to be a more secure configuration, despite it being recommended by Microsoft.
Plesk also explicitly removes the privilege "Impersonate a client after authentication" from the IIS_IUSRS group. We believe this to be a more secure configuration, despite it being recommended by Microsoft.

How to check if the server is vulnerable

Connect to the server via RDP
Open the Command Prompt under the Administrator
Execute the following command:

plesk repair --has-app-pools-impersonate-privilege

Note: If the server has more than 300 domains the output will be 1 and the workaround below should be applied. The output will also be 1 if at least one domain has Windows Authentication enabled for Virtual Directories.

Note: If the command above returns "0" as an output, then the server is protected, if "1" then the server is possibly vulnerable and we strongly recommend to execute the following command to fix privileges:

plesk repair --revoke-app-pools-impersonate-privilege

0 Shares