Full Disclosure mailing list archives
Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
From: Mike Vasquez <mike () digihax com>
Date: Thu, 9 Dec 2010 20:36:38 -0700
You can dump the local cached hashes, take a domain admins, and use a pass the hash attack, which has been around for a while, such as: Hernan Ochoa / http://oss.coresecurity.com/projects/pshtoolkit.htm I don't see this being any more concerning. Whatever you do in the above, is under the other account. Granted, I may be missing something, so enlighten me.
-----Original Message----- From: Mike Hale [mailto:eyeronic.design () gmail com] Sent: Thursday, December 09, 2010 7:20 PM To: Thor (Hammer of God) Cc: StenoPlasma () exploitdevelopment com; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) "In fact, I can just make the Domain Admin a "guest" on my workstation if I want to and there is nothing they can do about it." With the caveat that they can readd themselves using GP anytime they want...but you know. I just wanted to throw that out there. I think the key vulnerability in this is the non-repudiation one the OP mentioned. Being able to run stuff under the domain admin's account is something a rogue user could potential abuse. I don't think this issue is particularly critical, but something a good admin should be aware of, IMO. On Thu, Dec 9, 2010 at 7:07 PM, Thor (Hammer of God) <thor () hammerofgod com> wrote:What do you mean by "regular local administrator"? You're a local admin,or you're not. There are not degrees of local admin. Why are you under the impression that there are things on a local system that the local admin should not have access to? They can do anything they want to by design. Are you under the impression that the Domain Administrator has different permissions on a local machine than the local administrator does? The only reason a Domain Admin has admin rights by default on a domain workstation is because they simply belong to the local Administrators group. If I, as a local admin, remove the domain admin account from my local Administrators group, then they will not be local admins. In fact, I can just make the Domain Admin a "guest" on my workstation if I want to and there is nothing they can do about it.Sorry to be the bearer of bad news for you, but the local admin can dowhat they want to by design, and there is nothing that was "not intended by the software developer" here. This is, of course, why the people at MSFT dismissed it as noted.t -----Original Message----- From: StenoPlasma @ ExploitDevelopment [mailto:StenoPlasma () exploitdevelopment com] Sent: Thursday, December 09, 2010 6:13 PM To: Thor (Hammer of God); full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) T, My article describes how to use the SECURITY registry hive to trick theMicrosoft operating system in to performing an action that has a result that is not intended by the software developer. This action is performed on the Active Directory logon account cache that regular local administrators should not have access to. There are always other ways of doing things when it comes to this type of work.Thank you, ----------------------------------------------------- StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com ----------------------------------------------------- -------- Original Message --------From: "Thor (Hammer of God)" <thor () hammerofgod com> Sent: Thursday, December 09, 2010 6:07 PM To: "stenoplasma () exploitdevelopment com"<stenoplasma () exploitdevelopment com>, "full-disclosure () lists grok org uk"<full-disclosure () lists grok org uk>Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)Why all the trouble? Just change the log files directly when logged inas the local admin. It's a whole lot simpler, and you don't even needthe domain administrator to have interactively logged into your workstation.Or is your point that local administrators are, um, local administrators?t-----Original Message----- From: full-disclosure-bounces () lists grok org uk[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of StenoPlasma @ www.ExploitDevelopment.com Sent: Thursday, December 09, 2010 5:07 PM To: bugtraq () securityfocus com; full-disclosure () lists grok org uk Cc: stenoplasma () exploitdevelopment com Subject: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllowsLocal Workstation Admins to Temporarily Escalate Privileges and LoginasCached Domain Admin Accounts (2010-M$-002)---------------------------------------------------------------------- - ---www.ExploitDevelopment.com 2010-M$-002---------------------------------------------------------------------- - ---TITLE: Flaw in Microsoft Domain Account Caching Allows Local Workstation AdminstoTemporarily Escalate Privileges and Login as Cached Domain AdminAccountsSUMMARY AND IMPACT: All versions of Microsoft Windows operating systems allow real-time modifications to the Active Directory cached accounts listing stored onallActive Directory domain workstations and servers. This allows domainusersthat have local administrator privileges on domain assets to modifytheircached accounts to masquerade as other domain users that have logged intothose domain assets. This will allow local administrators totemporarilyescalate their domain privileges on domain workstations or servers. Ifthe localadministrator masquerades as an Active Directory Domain Admin account,themodified cached account is now free to modify system files and useraccountprofiles using the identity of the Domain Admin's account. Thisincludescreating scripts to run as the Domain Admin account the next time thattheylog in. All files created will not be linked to your domain account infile andfolder access lists. All security access lists will only show the DomainAdmin'saccount once you log out of the modified cached account. This leads toanumber of security issues that I will not attempt to identify in thearticle. Onemajor issue is the lack of non-repudiation. Editing files and otheractions willbe completed as another user account. Event log entries for objectaccess willonly be created if administrators are auditing successful access tofiles (Thiswill lead to enormous event log sizes). DETAILS: Prerequisites to exploit: #1: The user has a "Domain User" account that has administrativeprivileges onhis/her workstation (This is a common configuration for both small and enterprise networks). #2: The Microsoft Windows Active Directory domain has not disabled theuseof Group Policy "Interactive logon: Number of previous logons to cache(incase domain controller is not available)". The default value for thissetting is"10 logons". #3: A domain/enterprise/schema/privileged administrator has logged in totheuser's workstation at any time in the past (It would be very difficultto nothave some type of admin from the domain login to a workstation for a number of reasons). Use the following steps to exploit this vulnerability: Step 1: Log in to your workstation using your Active Directory domainaccount.This account only needs to have administrative access to yourworkstation.Step 2: Create an interactive scheduled task to run a minute aftercreating it.This scheduled task brings up a command prompt as the NTAuthority\SYSTEMaccount on Windows XP, and 2003. 'at 11:24 /interactive cmd.exe'. IfusingWindows Vista, 7, or 2008 Server, the attacker can use the psexec tool(psexec-i -s cmd.exe). Step 3: Once the SYSTEM command prompt comes up, open regedit from the command line. Step 4: Browse to 'HKEY_LOCAL_MACHINE\SECURITY\Cache' Step 5: The list of "NL$1-10" records contain the cached activedirectorydomain account sessions. To identify which account is yours, performthefollowing steps. Take note of all NL$ entries and entry content. Changeyourdomain account password. Leave the SYSTEM shell and regedit application open. Log off the workstation, and then log back in to your domainaccount.Refresh the NL$ list. The NL$ line item that has been updated is yourdomainuser's cached session. Step 6: For this example, we will assume that your NL$ record is "NL$4" Step 7: Double click on "NL$4". Take note of the four hex charactersthat arelocated in positions 1, 2, 3, and 4 on line 3 of the hex data. Step 8: For this example, the hex characters are "5a 04". This number istheActive Directory octet string representation of your domain account's objectSID (The user account unique section of your AD SecurityIdentifier).Step 9: For this example, there is only one other cached account listedin theNL$ listing (NL$3). Double click on "NL$3". Take note of the four hexcharactersthat are located in positions 1, 2, 3, and 4 on line 3 of the hex data. Step 10: For this example, the hex characters are "59 04". This useraccount is"Domain\DomainAdminAcct". Step 11: Double click on "NL$4". Replace your SID hex representation "5a04",with DomainAdminAcct's SID hex representation "59 04". Step 12: *Important* Disconnect all physical network connections fromtheworkstation. Step 13: Log off of the domain account, then log back in to your domain account. Step 14: You will now be logged in to your modified cached account thatisreally the Domain Admin's account. Step 15: You are now free to modify system files and user accountprofilesusing the identity of the Domain Admin's account. This includescreatingscripts to run as the Domain Admin account the next time that they login. Allfiles created will not be linked to your domain account. All securityaccess listswill only show the Domain Admin's account once you log out of themodifiedcached account. Step 16: All actions taken are indeed logged in the Security Event Log,but allactions are shown as being completed by "Domain\DomainAdminAcct". Deeper inspection of event logs will show inside the login and logouteventsfor your modified cached account, your actual user name is listed insidetheevent, but not in the Security Event Log Viewer listing. Event logentries forobject access will only be created if administrators are auditingsuccessfulaccess to files (This will lead to enormous event log sizes). Theseevents willbe listed as being performed as "Domain\DomainAdminAcct" in the eventlogviewer, but deeper inspection will show your true user name. VULNERABLE PRODUCTS: All patch levels of Windows 2003 Server, Windows XP, Windows Vista, Windows 7, and Windows 2008 Server. REFERENCES AND ADDITIONAL INFORMATION: N/A CREDITS: StenoPlasma (at) ExploitDevelopment.com TIMELINE: Discovery: December 4, 2010 Vendor Notified: December 7, 2010 Vendor Fixed: N/A Vendor Dismissed: December 9, 2010 Vendor Notified of Disclosure: December 9, 2010 Disclosed: December 9, 2010 VENDOR URL: http://www.microsoft.com ADVISORY URL: http://www.ExploitDevelopment.com/Vulnerabilities/2010-M$-002.html VENDOR ADVISORY URL: N/A ------------------------------------------------------------- StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com ------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) StenoPlasma @ ExploitDevelopment (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Mike Hale (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Mike Vasquez (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Marsh Ray (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Mike Hale (Dec 10)
- Message not available
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Jeremy SAINTOT (Dec 13)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) phil (Dec 13)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Stefan Kanthak (Dec 13)