lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF16EB71B0E@EX2010.hammerofgod.com>
Date: Mon, 13 Dec 2010 20:47:37 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Michael Wojcik <Michael.Wojcik@...rofocus.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Flaw in Microsoft Domain
	Account	CachingAllows Local Workstation Admins to
	Temporarily	EscalatePrivileges and Login as Cached Domain
	Admin Accounts	(2010-M$-002)

>The attack has some academically interesting details about how cached
>credentials work, but I agree with Stefan. If you own the machine, you own
>the machine. What's to stop you from, say, simply installing a rootkit?

Exactly.  More importantly, even if you must make users local admins, there is never *any* reason why the domain administrator should interactively log onto a workstation as the domain administrator anyway.  Service personnel log on with support accounts, not the domain admin accounts.  If they do, well, then you've got other problems.  But in this case even if a domain admin logs in interactively (or via RDP), it's not an issue.  Cached credentials can't be used for anything other than to log on to the local machine if there is no DC available.  After a domain account logs on to a local system, after AD authenticates the request, then *another* hash is made of the hashed password with *a different salt* each time, for each user cached. 

As far as the academic interest, cached account behavior is a documented process which has been around for years, local admin overwrite capabilities included.  

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ