![windows server 2012 remote desktop administrator back doo windows server 2012 remote desktop administrator back doo](https://venturebeat.com/wp-content/uploads/2018/01/solution_eve-button_en_1600_0.png)
![windows server 2012 remote desktop administrator back doo windows server 2012 remote desktop administrator back doo](https://venturebeat.com/wp-content/uploads/2020/01/maxresdefault-4.jpg)
Meaning even as a standard user, if patches aren’t applied properly you can use this. You can use win32k SYSTEM exploits - there are many - to gain SYSTEM permissions, and then use this feature.Because of the above point (you can connect to disconnected sessions), this makes it an incredibly simple way to laterally move through a network. You can connect to ANY session - so if, for example, it’s the Helpdesk, you can connect to it without any authentication.It also unlocks the physical console, too. So if a user is away from their desk, you steal their session AND it unlocks the ‘workstation’ without needing any credentials. So if somebody logged out 3 days ago, you can just connect straight to their session and start using it. You can connect to disconnected sessions.Some parameters about how far this reaches
#WINDOWS SERVER 2012 REMOTE DESKTOP ADMINISTRATOR BACK DOO FULL#
So, you have full blown RDP session hijacking, with a single command. Attackers aren’t interested in playing, they’re interested in what they can do with techniques. This isn’t about SYSTEM - this is about what you can do with it very quickly, and quietly. That’s a long process compared to just running tscon.exe with a session number, and instantly get the desktop of said user - with no obvious trace, or external tools. You could, for example, dump out the server memory and get user passwords. Now, you might be saying ‘If you’re SYSTEM, you’re already root… You can already do anything’. I believe this is due to the way session shadowing was implemented in Microsoft Windows, and it runs throughout the years like this. It doesn’t prompt, it just connects you to the user’s desktop. As revealed by by Benjamin Delpy (of Mimikatz) in 2011 and by Alexander Korznikov on Friday, if you run tscon.exe as the SYSTEM user, you can connect to any session without a password. Some tricks allow credential-less Session Hijacking