Full Disclosure: Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)

Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)

From: "Michael Wojcik" <Michael.Wojcik () microfocus com>
Date: Mon, 13 Dec 2010 08:38:38 -0800

From: Stefan Kanthak [mailto:stefan.kanthak () nexgo de]
Sent: Friday, 10 December, 2010 17:12

"George Carlson" <gcarlson () vccs edu> wrote:

Your objections are mostly true in a normal sense.
However, it is not true when Group Policy is taken into account.


Group Policies need an AD. Cached credentials are only used locally,
for domain accounts, when the computer can't connect to the AD.

Group Policies differentiate between local and Domain administrators


Local administrators don't authenticate against an AD, they
authenticate against the local SAM. No GPOs there!
And: a local administrator can override ANY policy, even exempt the
computer completely from processing Group Policies.


And the exploit requires that a domain administrator have logged into
the target system at some point. If a domain administrator did that
once, it's probably not hard to make it happen again, with a little
social-engineering grease. And since the attacker is a local
administrator on that machine, it'd be easy to simply capture the domain
administrator's credentials (at least if password authentication is
being used).

Hell, I'd bet lots of domain administrators, when logging into a user's
workstation, don't even use the SAK if a login dialog is already up when
they sit down at the machine.

The attack has some academically interesting details about how cached
credentials work, but I agree with Stefan. If you own the machine, you
own the machine. What's to stop you from, say, simply installing a
rootkit?

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus



This message has been scanned for viruses by MailController - www.MailController.altohiway.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002), (continued)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Jason Lang (Dec 12)
- Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) phil (Dec 12)