| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Dec 2010 09:37:49 -0500 From: phil@...ea.net To: "Jeremy SAINTOT" <jeremy.saintot@...il.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "StenoPlasma@...loitdevelopment.com" <stenoplasma@...loitdevelopment.com> Subject: Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) If a bad guy got the local admin password, then the computer is in it's control at 100%. No need to run script as a domain user, as the local admin can already format the drive, or remove all security mesure. The cached credential is a hash of a hash. (kinda long to crack) Any good network admin would use a account that can only join a computer in the domain, and use the local admin account to install software or a helpdesk account that got local admin right. The only case maybe that case is a security hole that I can think of, I told maybe because I didn't tested it. It's if the computer got a local mssql with mixed mode authentification. Does the trick permit the login to the database if you installed it with a domain user, that is cached on the computer? (But who care, as the local admin can just copy the data dir anyway) My .02 cent -phil > Correct me if I'm wrong, but here is what I think of that : > > A Domain user that is a Local admin of his workstation is different than > a Domain user which is Domain Admin. > > Then, a local admin whose account is an AD account can run scripts *on > his local machine* in the name of the domain admin. > > This includes the possibility of dumping the Domain Admin password hash > and even *all the domain accounts password hashes* (ie: psexec + pwdump > against the DC, with the privileges of the domain admin). > > An exploitation scenario could be the following for an unprivileged > domain user: > > - Become local admin of his workstation (bunch of methods out there) > - Run script ad the Domain Admin with this technique) > - Recover Domain admin or Domain Users password hashes. > - Crack the passwords and become Domain Admin (ie: Administrator of all > workstations and servers in the domain). > > My two cents ! > > J- > > > On 10/12/2010 15:37, Jeffrey Walton wrote: >> On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God) >> <thor@...merofgod.com> wrote: >>> What do you mean by "regular local administrator"? You're a local >>> admin, >>> or you're not. >> I believe the OP's intent was to differentiate between Local >> Administrators and Domain (or Enterprise) Administrators. Corrections >> from StenoPlasma are welcomed. >> >>> There are not degrees of local admin. >> But there are different accounts, both domain and local, which have >> administrator rights and privileges on the local machine. >> >> [SNIP] >> >> Jeff >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists