lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF16EB6F804@EX2010.hammerofgod.com>
Date: Fri, 10 Dec 2010 15:56:29 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "noloader@...il.com" <noloader@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"StenoPlasma@...loitdevelopment.com" <StenoPlasma@...loitdevelopment.com>
Subject: Re: Flaw in Microsoft Domain Account Caching
 Allows Local Workstation Admins to Temporarily Escalate Privileges and
 Login as Cached Domain Admin Accounts (2010-M$-002)

Hey Jeff - StenoPlasma and I took the conversation off-line, and I'm clear about what he is illustrating.  

As far as the local machine is concerned, there is no difference between the local admin and the domain admin or any other admin in the Administrators group.   The paper illustrates how one admin can pretend to be another admin by masquerading as his SID.    Of course, the admin could masquerade as a normal user too, but there's no point in that.  That said, there's no point in one admin pretending to be another admin.  There is no down-range network access to this, and as StenoPlasma pointed out, you have to have the network cable unplugged to do this.  

Not taking away from SP's find, but at the end of the day, this doesn't allow an administrator to do anything he couldn't already do.  If repudiation is the concern, the one admin can simply create another admin user, log in as them, and do whatever they want logging activities as that user.  

I've been counting, and now this is 1 million four:  If it starts with "If I'm admin..." then what comes next doesn't matter.

t

-----Original Message-----
From: Jeffrey Walton [mailto:noloader@...il.com] 
Sent: Friday, December 10, 2010 6:38 AM
To: Thor (Hammer of God)
Cc: StenoPlasma@...loitdevelopment.com; full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God) <thor@...merofgod.com> wrote:
> What do you mean by "regular local administrator"?  You're a local 
> admin, or you're not.
I believe the OP's intent was to differentiate between Local Administrators and Domain (or Enterprise) Administrators. Corrections from StenoPlasma are welcomed.

> There are not degrees of local admin.
But there are different accounts, both domain and local, which have administrator rights and privileges on the local machine.

[SNIP]

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ