Full Disclosure mailing list archives
Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Fri, 10 Dec 2010 15:56:29 +0000
Hey Jeff - StenoPlasma and I took the conversation off-line, and I'm clear about what he is illustrating. As far as the local machine is concerned, there is no difference between the local admin and the domain admin or any other admin in the Administrators group. The paper illustrates how one admin can pretend to be another admin by masquerading as his SID. Of course, the admin could masquerade as a normal user too, but there's no point in that. That said, there's no point in one admin pretending to be another admin. There is no down-range network access to this, and as StenoPlasma pointed out, you have to have the network cable unplugged to do this. Not taking away from SP's find, but at the end of the day, this doesn't allow an administrator to do anything he couldn't already do. If repudiation is the concern, the one admin can simply create another admin user, log in as them, and do whatever they want logging activities as that user. I've been counting, and now this is 1 million four: If it starts with "If I'm admin..." then what comes next doesn't matter. t -----Original Message----- From: Jeffrey Walton [mailto:noloader () gmail com] Sent: Friday, December 10, 2010 6:38 AM To: Thor (Hammer of God) Cc: StenoPlasma () exploitdevelopment com; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God) <thor () hammerofgod com> wrote:
What do you mean by "regular local administrator"? You're a local admin, or you're not.
I believe the OP's intent was to differentiate between Local Administrators and Domain (or Enterprise) Administrators. Corrections from StenoPlasma are welcomed.
There are not degrees of local admin.
But there are different accounts, both domain and local, which have administrator rights and privileges on the local machine. [SNIP] Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) StenoPlasma @ ExploitDevelopment (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Mike Hale (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Mike Vasquez (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Marsh Ray (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Mike Hale (Dec 10)
- Message not available
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 09)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Thor (Hammer of God) (Dec 10)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Jeremy SAINTOT (Dec 13)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) phil (Dec 13)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Stefan Kanthak (Dec 13)