Bugtraq mailing list archives
Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
From: Marsh Ray <marsh () extendedsubset com>
Date: Mon, 13 Dec 2010 16:14:44 -0600
On 12/13/2010 11:19 AM, Michael Bauer wrote:
An administrator is very different there are many levels of administrative control in windows to say an admin is an admin is absurd.
I disagree. There's only one level of pwned.
There is a big difference between a local admin and a domain admin.
Yes, local vs. network is sometimes a useful distinction.But joining a machine to the domain gives it a bit more power to attack other stuff on the domain. And how many domain-joined systems do not also include Domain Admins as Local Admins?
There are many types of admin in windows and all of them have different levels of permission.
I disagree.
I would be very scared to have anyone taking care of any of my systems windows or NIX who thought an admin was an admin and root is root.
You ought to be scared anyway. There's a new local exploit here every few days or weeks.
Here is a reference showing the different SIDs for some common windows accounts. Http://support.microsoft.com/kb/24333 If you take time to read it you will see there are numerous types of windows administrator all with different permissions.
I know MS set out to define all these different capabilities and so on. My impression is that much of that was suggested by Orange Book. But they supposedly obtained this Orange Book certification yet still installed notepad.exe as world-writable by default.
In practice, those distinctions rarely hold up under scrutiny. Remember "Guest User" vs "User" vs "Power User"? MS has greatly de-emphasized the utility of boundaries between privileges them in the OS over time, preferring instead to invent new ones that were more relevant to the times. Witnesseth the recent discussions about the elevation token and IE protected mode.
The best you can hope for is to maintain an effective boundary between normal users and root/admin. But usually as soon as you install a few off-the-shelf Windows or shareware apps, it's gone. Try this: install your favorite "productivity" app in a non-default directory, e.g. C:\, then look at the filesystem permissions on its executable folder (and everywhere it might load DLLs from). Then note that (just a wild guess) it probably runs some dll-preloader and system tray icon processes for everyone who logs in - even Admins.
Even on a pristine OS install, the next local escalation bug is just a matter of time, and that's just the published ones. The bad guys likely have plenty already.
If you're lucky, you might be able to maintain an effective security boundary between a local computer and the network. Don't waste your time trying to protect machines from users who have unsupervised physical access anyway.
- Marsh
Current thread:
- Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) StenoPlasma @ www.ExploitDevelopment.com (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Stefan Kanthak (Dec 10)
- RE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) George Carlson (Dec 13)
- Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Stefan Kanthak (Dec 13)
- RE: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Michael Wojcik (Dec 13)
- RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 15)
- Message not available
- Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Marsh Ray (Dec 15)
- RE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) George Carlson (Dec 13)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Stefan Kanthak (Dec 10)
- RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 13)
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Andrea Lee (Dec 13)
- RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 13)
- RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Kurt Dillard (Dec 13)
- Re: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) StenoPlasma @ www.ExploitDevelopment.com (Dec 15)
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Ansgar Wiechers (Dec 13)
- Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Stefan Kanthak (Dec 15)
- RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002) David Gillett (Dec 13)
- Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002) Michael Bauer (Dec 15)