Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

[phil () jabea net]

If a bad guy got the local admin password, then the computer is in it's
control at 100%. No need to run script as a domain user, as the local
admin can already format the drive, or remove all security mesure.

The cached credential is a hash of a hash. (kinda long to crack)

Any good network admin would use a account that can only join a computer
in the domain, and use the local admin account to install software or a
helpdesk account that got local admin right.

The only case maybe that case is a security hole that I can think of, I
told maybe because I didn't tested it. It's if the computer got a local
mssql with mixed mode authentification. Does the trick permit the login to
the database if you installed it with a domain user, that is cached on the
computer? (But who care, as the local admin can just copy the data dir
anyway)


My .02 cent



-phil


> Correct me if I'm wrong, but here is what I think of that :
>
> A Domain user that is a Local admin of his workstation is different than
> a Domain user which is Domain Admin.
>
> Then, a local admin whose account is an AD account can run scripts *on
> his local machine* in the name of the domain admin.
>
> This includes the possibility of dumping the Domain Admin password hash
> and even *all the domain accounts password hashes* (ie: psexec + pwdump
> against the DC, with the privileges of the domain admin).
>
> An exploitation scenario could be the following for an unprivileged
> domain user:
>
> - Become local admin of his workstation (bunch of methods out there)
> - Run script ad the Domain Admin with this technique)
> - Recover Domain admin or Domain Users password hashes.
> - Crack the passwords and become Domain Admin (ie: Administrator of all
> workstations and servers in the domain).
>
> My two cents !
>
> J-
>
>
> On 10/12/2010 15:37, Jeffrey Walton wrote:
> > On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God)
> > <thor () hammerofgod com>  wrote:
> > > What do you mean by "regular local administrator"?  You're a local
> > > admin,
> > > or you're not.
> > I believe the OP's intent was to differentiate between Local
> > Administrators and Domain (or Enterprise) Administrators. Corrections
> > from StenoPlasma are welcomed.
> >
> > > There are not degrees of local admin.
> > But there are different accounts, both domain and local, which have
> > administrator rights and privileges on the local machine.
> >
> > [SNIP]
> >
> > Jeff
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/