lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Dec 2010 08:38:38 -0800 From: "Michael Wojcik" <Michael.Wojcik@...rofocus.com> To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk> Subject: RE: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) > From: Stefan Kanthak [mailto:stefan.kanthak@...go.de] > Sent: Friday, 10 December, 2010 17:12 > > "George Carlson" <gcarlson@...s.edu> wrote: > > > Your objections are mostly true in a normal sense. > > However, it is not true when Group Policy is taken into account. > > Group Policies need an AD. Cached credentials are only used locally, > for domain accounts, when the computer can't connect to the AD. > > > Group Policies differentiate between local and Domain administrators > > Local administrators don't authenticate against an AD, they > authenticate against the local SAM. No GPOs there! > And: a local administrator can override ANY policy, even exempt the > computer completely from processing Group Policies. And the exploit requires that a domain administrator have logged into the target system at some point. If a domain administrator did that once, it's probably not hard to make it happen again, with a little social-engineering grease. And since the attacker is a local administrator on that machine, it'd be easy to simply capture the domain administrator's credentials (at least if password authentication is being used). Hell, I'd bet lots of domain administrators, when logging into a user's workstation, don't even use the SAK if a login dialog is already up when they sit down at the machine. The attack has some academically interesting details about how cached credentials work, but I agree with Stefan. If you own the machine, you own the machine. What's to stop you from, say, simply installing a rootkit? -- Michael Wojcik Principal Software Systems Developer, Micro Focus This message has been scanned for viruses by MailController - www.MailController.altohiway.com
Powered by blists - more mailing lists