Home page logo

bugtraq logo Bugtraq mailing list archives

RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 13 Dec 2010 20:47:37 +0000

The attack has some academically interesting details about how cached
credentials work, but I agree with Stefan. If you own the machine, you own
the machine. What's to stop you from, say, simply installing a rootkit?

Exactly.  More importantly, even if you must make users local admins, there is never *any* reason why the domain 
administrator should interactively log onto a workstation as the domain administrator anyway.  Service personnel log on 
with support accounts, not the domain admin accounts.  If they do, well, then you've got other problems.  But in this 
case even if a domain admin logs in interactively (or via RDP), it's not an issue.  Cached credentials can't be used 
for anything other than to log on to the local machine if there is no DC available.  After a domain account logs on to 
a local system, after AD authenticates the request, then *another* hash is made of the hashed password with *a 
different salt* each time, for each user cached. 

As far as the academic interest, cached account behavior is a documented process which has been around for years, local 
admin overwrite capabilities included.  


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]