Situation
Windows local Privilege Escalation with SeImpersonatePrivilege.
There is a possibility of local privileges escalation up to SYSTEM privilege on Windows Operation systems with a number of technics with a common "Potato" naming.
The following public articles describe the technics in detail:
-
Rotten Potato:
-
https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ - Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM
-
-
Juicy Potato:
- https://ohpe.it/juicy-potato/ - Juicy Potato (abusing the golden privileges)
- https://github.com/ohpe/juicy-potato
-
https://github.com/ohpe/juicy-potato/issues/4 - Build
1809patched JuicyPotato - https://decoder.cloud/2018/08/10/juicy-potato/ - Juicy Potato (abusing the golden privileges)
- https://decoder.cloud/2018/10/01/fear-the-rotten-juicy-potato-attack/ - Fear the Rotten/Juicy potato attack?
- https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/ - No more rotten/juicy potato?
- https://www.youtube.com/watch?v=ur2HPyuQlEU - HIP19: whoami priv - show me your privileges and I will lead you to SYSTEM - A. Pierini
-
RogueWinRM:
- https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/ - We thought they were potatoes but they were beans (from Service Account to SYSTEM again)
-
PrintSpoofer:
- https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ - PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019
-
RoguePotato:
- https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/ - No more JuicyPotato? Old story, welcome RoguePotato!
-
juicy_2:
- https://decoder.cloud/2020/05/30/the-impersonation-game/ - The impersonation game
Impact
A person might get escalated privileges that allow performing any operations on the server.
Call to Action
Starting from Plesk Obsidian 18.0.32 all new Plesk installations are fully protected from this kind of technics.
During upgrade to Plesk Obsidian 18.0.32 and later most of the servers are also protected automatically:
- Plesk no longer assigns the system privilege "Replace a process level token" to IIS users created by Plesk. We believe this to be a more secure configuration, despite it being recommended by Microsoft.
- Plesk also explicitly removes the privilege "Impersonate a client after authentication" from the IIS_IUSRS group. We believe this to be a more secure configuration, despite it being recommended by Microsoft.
How to check if the server is vulnerable
-
Connect to the server via RDP
-
Open the Command Prompt under the Administrator
-
Execute the following command:
plesk repair --has-app-pools-impersonate-privilege
Note: If the server has more than 300 domains the output will be 1 and the workaround below should be applied. The output will also be 1 if at least one domain has Windows Authentication enabled for Virtual Directories.
Note: If the command above returns "0" as an output, then the server is protected, if "1" then the server is possibly vulnerable and we strongly recommend to execute the following command to fix privileges:
plesk repair --revoke-app-pools-impersonate-privilege
with