Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
On 12/13/2010 11:19 AM, Michael Bauer wrote: > An administrator is very different there are many levels of > administrative control in windows to say an admin is an admin is > absurd. I disagree. There's only one level of pwned. > There is a big difference between a local admin and a domain > admin. Yes, local vs. network is sometimes a useful distinction. But joining a machine to the domain gives it a bit more power to attack other stuff on the domain. And how many domain-joined systems do not also include Domain Admins as Local Admins? > There are many types of admin in windows and all of them have > different levels of permission. I disagree. > I would be very scared to have anyone > taking care of any of my systems windows or NIX who thought an admin > was an admin and root is root. You ought to be scared anyway. There's a new local exploit here every few days or weeks. > Here is a reference showing the > different SIDs for some common windows accounts. > Http://support.microsoft.com/kb/24333 > > If you take time to read it you will see there are numerous types of > windows administrator all with different permissions. I know MS set out to define all these different capabilities and so on. My impression is that much of that was suggested by Orange Book. But they supposedly obtained this Orange Book certification yet still installed notepad.exe as world-writable by default. In practice, those distinctions rarely hold up under scrutiny. Remember "Guest User" vs "User" vs "Power User"? MS has greatly de-emphasized the utility of boundaries between privileges them in the OS over time, preferring instead to invent new ones that were more relevant to the times. Witnesseth the recent discussions about the elevation token and IE protected mode. The best you can hope for is to maintain an effective boundary between normal users and root/admin. But usually as soon as you install a few off-the-shelf Windows or shareware apps, it's gone. Try this: install your favorite "productivity" app in a non-default directory, e.g. C:\, then look at the filesystem permissions on its executable folder (and everywhere it might load DLLs from). Then note that (just a wild guess) it probably runs some dll-preloader and system tray icon processes for everyone who logs in - even Admins. Even on a pristine OS install, the next local escalation bug is just a matter of time, and that's just the published ones. The bad guys likely have plenty already. If you're lucky, you might be able to maintain an effective security boundary between a local computer and the network. Don't waste your time trying to protect machines from users who have unsupervised physical access anyway. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
>The attack has some academically interesting details about how cached >credentials work, but I agree with Stefan. If you own the machine, you own >the machine. What's to stop you from, say, simply installing a rootkit? Exactly. More importantly, even if you must make users local admins, there is never *any* reason why the domain administrator should interactively log onto a workstation as the domain administrator anyway. Service personnel log on with support accounts, not the domain admin accounts. If they do, well, then you've got other problems. But in this case even if a domain admin logs in interactively (or via RDP), it's not an issue. Cached credentials can't be used for anything other than to log on to the local machine if there is no DC available. After a domain account logs on to a local system, after AD authenticates the request, then *another* hash is made of the hashed password with *a different salt* each time, for each user cached. As far as the academic interest, cached account behavior is a documented process which has been around for years, local admin overwrite capabilities included. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
An administrator is very different there are many levels of administrative control in windows to say an admin is an admin is absurd. There is a big difference between a local admin and a domain admin. There are many types of admin in windows and all of them have different levels of permission. I would be very scared to have anyone taking care of any of my systems windows or NIX who thought an admin was an admin and root is root. Here is a reference showing the different SIDs for some common windows accounts. Http://support.microsoft.com/kb/24333 If you take time to read it you will see there are numerous types of windows administrator all with different permissions. Sent from my iPhone On Dec 10, 2010, at 5:11 PM, "Stefan Kanthak" wrote: > "George Carlson" wrote: > >> Your objections are mostly true in a normal sense. > > And in abnormal sense? > >> However, it is not true when Group Policy is taken into account. > > Group Policies need an AD. Cached credentials are only used locally, > for domain accounts, when the computer can't connect to the AD. > >> Group Policies differentiate between local and Domain administrators > > Local administrators don't authenticate against an AD, they authenticate > against the local SAM. No GPOs there! > And: a local administrator can override ANY policy, even exempt the > computer completely from processing Group Policies. > >> and so this >> vulnerability is problematic for shops that differentiate between >> desktop support and AD support. > > Again: this is NO VULNERABILITY. > An administrator is an administrator is an administrator. > > [braindead fullquote removed ] > > Stefan > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
> From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de] > Sent: Friday, 10 December, 2010 17:12 > > "George Carlson" wrote: > > > Your objections are mostly true in a normal sense. > > However, it is not true when Group Policy is taken into account. > > Group Policies need an AD. Cached credentials are only used locally, > for domain accounts, when the computer can't connect to the AD. > > > Group Policies differentiate between local and Domain administrators > > Local administrators don't authenticate against an AD, they > authenticate against the local SAM. No GPOs there! > And: a local administrator can override ANY policy, even exempt the > computer completely from processing Group Policies. And the exploit requires that a domain administrator have logged into the target system at some point. If a domain administrator did that once, it's probably not hard to make it happen again, with a little social-engineering grease. And since the attacker is a local administrator on that machine, it'd be easy to simply capture the domain administrator's credentials (at least if password authentication is being used). Hell, I'd bet lots of domain administrators, when logging into a user's workstation, don't even use the SAK if a login dialog is already up when they sit down at the machine. The attack has some academically interesting details about how cached credentials work, but I agree with Stefan. If you own the machine, you own the machine. What's to stop you from, say, simply installing a rootkit? -- Michael Wojcik Principal Software Systems Developer, Micro Focus This message has been scanned for viruses by MailController - www.MailController.altohiway.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
Stefan, For you information: Cached domain accounts on a local system are not stored in the SAM. They are stored in the SECURITY registry hive. When a cached domain user logs in to the system, they do not authenticate against the SAM (As you can see in my article, I am not editing the SAM). - StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com - Original Message > From: "Stefan Kanthak" > Sent: Monday, December 13, 2010 7:53 AM > To: bugt...@securityfocus.com, full-disclosure@lists.grok.org.uk > Subject: Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) > > "George Carlson" wrote: > > > Your objections are mostly true in a normal sense. > > And in abnormal sense? > > > However, it is not true when Group Policy is taken into account. > > Group Policies need an AD. Cached credentials are only used locally, > for domain accounts, when the computer can't connect to the AD. > > > Group Policies differentiate between local and Domain administrators > > Local administrators don't authenticate against an AD, they authenticate > against the local SAM. No GPOs there! > And: a local administrator can override ANY policy, even exempt the > computer completely from processing Group Policies. > > > and so this > > vulnerability is problematic for shops that differentiate between > > desktop support and AD support. > > Again: this is NO VULNERABILITY. > An administrator is an administrator is an administrator. > > [braindead fullquote removed ] > > Stefan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
"George Carlson" wrote: > Your objections are mostly true in a normal sense. And in abnormal sense? > However, it is not true when Group Policy is taken into account. Group Policies need an AD. Cached credentials are only used locally, for domain accounts, when the computer can't connect to the AD. > Group Policies differentiate between local and Domain administrators Local administrators don't authenticate against an AD, they authenticate against the local SAM. No GPOs there! And: a local administrator can override ANY policy, even exempt the computer completely from processing Group Policies. > and so this > vulnerability is problematic for shops that differentiate between > desktop support and AD support. Again: this is NO VULNERABILITY. An administrator is an administrator is an administrator. [braindead fullquote removed ] Stefan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/