[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <67245811f73156fd178f16e332bc8755.squirrel@www.jabea.net>
Date: Mon, 13 Dec 2010 09:37:49 -0500
From: phil@...ea.net
To: "Jeremy SAINTOT" <jeremy.saintot@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"StenoPlasma@...loitdevelopment.com" <stenoplasma@...loitdevelopment.com>
Subject: Re: Flaw in Microsoft Domain Account Caching
Allows Local Workstation Admins to Temporarily Escalate Privileges and
Login as Cached Domain Admin Accounts (2010-M$-002)
If a bad guy got the local admin password, then the computer is in it's
control at 100%. No need to run script as a domain user, as the local
admin can already format the drive, or remove all security mesure.
The cached credential is a hash of a hash. (kinda long to crack)
Any good network admin would use a account that can only join a computer
in the domain, and use the local admin account to install software or a
helpdesk account that got local admin right.
The only case maybe that case is a security hole that I can think of, I
told maybe because I didn't tested it. It's if the computer got a local
mssql with mixed mode authentification. Does the trick permit the login to
the database if you installed it with a domain user, that is cached on the
computer? (But who care, as the local admin can just copy the data dir
anyway)
My .02 cent
-phil
> Correct me if I'm wrong, but here is what I think of that :
>
> A Domain user that is a Local admin of his workstation is different than
> a Domain user which is Domain Admin.
>
> Then, a local admin whose account is an AD account can run scripts *on
> his local machine* in the name of the domain admin.
>
> This includes the possibility of dumping the Domain Admin password hash
> and even *all the domain accounts password hashes* (ie: psexec + pwdump
> against the DC, with the privileges of the domain admin).
>
> An exploitation scenario could be the following for an unprivileged
> domain user:
>
> - Become local admin of his workstation (bunch of methods out there)
> - Run script ad the Domain Admin with this technique)
> - Recover Domain admin or Domain Users password hashes.
> - Crack the passwords and become Domain Admin (ie: Administrator of all
> workstations and servers in the domain).
>
> My two cents !
>
> J-
>
>
> On 10/12/2010 15:37, Jeffrey Walton wrote:
>> On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God)
>> <thor@...merofgod.com> wrote:
>>> What do you mean by "regular local administrator"? You're a local
>>> admin,
>>> or you're not.
>> I believe the OP's intent was to differentiate between Local
>> Administrators and Domain (or Enterprise) Administrators. Corrections
>> from StenoPlasma are welcomed.
>>
>>> There are not degrees of local admin.
>> But there are different accounts, both domain and local, which have
>> administrator rights and privileges on the local machine.
>>
>> [SNIP]
>>
>> Jeff
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists