[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

To: noloader@xxxxxxxxx
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
From: Jeremy SAINTOT <jeremy.saintot@xxxxxxxxx>
Date: Mon, 13 Dec 2010 11:43:02 +0100

Correct me if I'm wrong, but here is what I think of that :

A Domain user that is a Local admin of his workstation is different than 
a Domain user which is Domain Admin.

Then, a local admin whose account is an AD account can run scripts *on 
his local machine* in the name of the domain admin.

This includes the possibility of dumping the Domain Admin password hash 
and even *all the domain accounts password hashes* (ie: psexec + pwdump 
against the DC, with the privileges of the domain admin).

An exploitation scenario could be the following for an unprivileged 
domain user:

- Become local admin of his workstation (bunch of methods out there)
- Run script ad the Domain Admin with this technique)
- Recover Domain admin or Domain Users password hashes.
- Crack the passwords and become Domain Admin (ie: Administrator of all 
workstations and servers in the domain).

My two cents !

J-

On 10/12/2010 15:37, Jeffrey Walton wrote:
> On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God)
> <thor@xxxxxxxxxxxxxxx>  wrote:
>> What do you mean by "regular local administrator"?  You're a local admin,
>> or you're not.
> I believe the OP's intent was to differentiate between Local
> Administrators and Domain (or Enterprise) Administrators. Corrections
> from StenoPlasma are welcomed.
>
>> There are not degrees of local admin.
> But there are different accounts, both domain and local, which have
> administrator rights and privileges on the local machine.
>
> [SNIP]
>
> Jeff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
  - From: phil
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
  - From: Stefan Kanthak

References:
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
  - From: StenoPlasma @ ExploitDevelopment
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
  - From: Jeffrey Walton

Prev by Date: [Full-disclosure] Bug on Facebook
Next by Date: Re: [Full-disclosure] Bug on Facebook
Previous by thread: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
Next by thread: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
Index(es):
- Date
- Thread