lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20061003120147.GZ29201@DAPCVA.da>
Date: Tue, 3 Oct 2006 14:01:47 +0200
From: Vincent Archer <varcher@...yall.com>
To: crazy frog crazy frog <i.m.crazy.frog@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Removing the NIC cable = EoP?

On Tue, Oct 03, 2006 at 02:33:34PM +0530, crazy frog crazy frog wrote:
> I doubt it will work on any windows OS. If a user is logged in as a
> user who dont have admin rights then unplugging network cable does not
> give him admin.

The hack seems to be the defaulting. You authentify as a user, but you
do not let the system to get the full user profile from its domain
controller. The bug suggested there is that, if the OS can authentify,
but cannot setup the profile after succesfully authentifying, it would
incorrectly place you as a local admin. Presumably because that's the
only local account.

I do suspect a combo of specific OS version, SP, AD/system config, and
probably the account setup script that gets executed when you create a
local version of the user environment, rather than a generalized system
error.

Most system will indeed keep a cached copy of the network profile, and
default to it when unable to fetch the profile - I'm sure the sysadmins
added fancy tricks to destroy any local profile once you've logged out,
and the building of the account profile when you log in for "the first
time" is where the drop to admin happens.

-- 
Vincent ARCHER
varcher@...yall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ