BugTraq
Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 10 2010 01:06AM
StenoPlasma @ www.ExploitDevelopment.com (exploitdevelopmentdotcom gmail com) (1 replies)
Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 10 2010 04:29PM
Stefan Kanthak (stefan kanthak nexgo de) (2 replies)
RE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 10 2010 06:12PM
George Carlson (gcarlson vccs edu) (2 replies)
RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 11 2010 12:15AM
Thor (Hammer of God) (thor hammerofgod com) (2 replies)
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 13 2010 05:12PM
Andrea Lee (andrea kattrap net) (4 replies)
Re: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 10 2010 10:11PM
Stefan Kanthak (stefan kanthak nexgo de) (1 replies)
RE: Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002) Dec 13 2010 04:38PM
Michael Wojcik (Michael Wojcik microfocus com) (1 replies)
RE: [Full-disclosure] Flaw in Microsoft Domain AccountCachingAllows Local Workstation Admins to TemporarilyEscalatePrivileges and Login as Cached Domain Admin Accounts(2010-M$-002) Dec 13 2010 08:47PM
Thor (Hammer of God) (thor hammerofgod com)
>The attack has some academically interesting details about how cached
>credentials work, but I agree with Stefan. If you own the machine, you own
>the machine. What's to stop you from, say, simply installing a rootkit?

Exactly. More importantly, even if you must make users local admins, there is never *any* reason why the domain administrator should interactively log onto a workstation as the domain administrator anyway. Service personnel log on with support accounts, not the domain admin accounts. If they do, well, then you've got other problems. But in this case even if a domain admin logs in interactively (or via RDP), it's not an issue. Cached credentials can't be used for anything other than to log on to the local machine if there is no DC available. After a domain account logs on to a local system, after AD authenticates the request, then *another* hash is made of the hashed password with *a different salt* each time, for each user cached.

As far as the academic interest, cached account behavior is a documented process which has been around for years, local admin overwrite capabilities included.

t

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus