[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

To: "noloader@xxxxxxxxx" <noloader@xxxxxxxxx>
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Fri, 10 Dec 2010 15:56:29 +0000

Hey Jeff - StenoPlasma and I took the conversation off-line, and I'm clear 
about what he is illustrating.  

As far as the local machine is concerned, there is no difference between the 
local admin and the domain admin or any other admin in the Administrators 
group.   The paper illustrates how one admin can pretend to be another admin by 
masquerading as his SID.    Of course, the admin could masquerade as a normal 
user too, but there's no point in that.  That said, there's no point in one 
admin pretending to be another admin.  There is no down-range network access to 
this, and as StenoPlasma pointed out, you have to have the network cable 
unplugged to do this.  

Not taking away from SP's find, but at the end of the day, this doesn't allow 
an administrator to do anything he couldn't already do.  If repudiation is the 
concern, the one admin can simply create another admin user, log in as them, 
and do whatever they want logging activities as that user.  

I've been counting, and now this is 1 million four:  If it starts with "If I'm 
admin..." then what comes next doesn't matter.

t

-----Original Message-----
From: Jeffrey Walton [mailto:noloader@xxxxxxxxx] 
Sent: Friday, December 10, 2010 6:38 AM
To: Thor (Hammer of God)
Cc: StenoPlasma@xxxxxxxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows 
Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached 
Domain Admin Accounts (2010-M$-002)

On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx> 
wrote:
> What do you mean by "regular local administrator"?  You're a local 
> admin, or you're not.
I believe the OP's intent was to differentiate between Local Administrators and 
Domain (or Enterprise) Administrators. Corrections from StenoPlasma are 
welcomed.

> There are not degrees of local admin.
But there are different accounts, both domain and local, which have 
administrator rights and privileges on the local machine.

[SNIP]

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
  - From: StenoPlasma @ ExploitDevelopment
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
  - From: Jeffrey Walton