Win2k directory services weakness

[BugTraq <BugTraq () GAUSS FMPH UNIBA SK>]

Hello,

we came across one security issue; which may be critical
for large organizations planning to deploy Windows 2000
and Active Directory in one forest.

Imagine that there is a forest with more than one domain.
(Tree hierarchy does not matter in this situation.) Every
domain has its own set of administrators.

In Active directory there is one Configuration Container
for the whole forest. So every domain controller has its own
copy of Configuration Container and is able to change it and
replicate changes to other domain controllers. The only
obstruction for changing configuration are ACLs.
But ACLs are checked on local system and if you somehow
modify it to avoid this checking, you can modify this Container.

How to do it ? It is just a matter of finding a place where
ACL is checked and patching correspoding DLL to disable this check.

We think the check is done in Directory Service Agent. So
you can patch and replace it or add a patched version to
original one running in the context of LSA - for how to run
own code in the context of LSA, see pwdump2
<http://razor.bindview.com/tools/desc/pwdump2_readme.html> utility.
What you need in this case is SeDebugPrivilege.

Real issue is: if in this situation one of domain controllers
is hacked, hacker can change links for Site Domain policy, where
are stored paths for logon/logoff and startup/shutdown scripts.
So run own codes on any other domain controller in forest.

If you have large organization, every DC is then (almost) equally
vulnerable; if a hacker beaks into one, he gets all.

Did anyone thought about this issue, and have anyone any
idea how to solve it ?

Thank you.

Michal Zeman, Pavol Mederly
Comenius University, Bratislava, Slovakia