Next Page >>
accounts
I must express my disagreement. I consider that if someone can automate
the process of password cracking, exist a security problem. I have
programmed a Python script that implements the process that I explain in
the proof of concept paragraph, and it has allowed me to run thousands
of automated requests and obtain the password of one of my test accounts.
> Gmail has all sorts of additional limits on password brute forcing.
> The confusion here is the difference between "login incorrect" (due to
> bad password) and "login incorrect" (due to excessive login attempts).
> This protection kicks in after a small number of failed attempts,
--------------------------------------------------------------------------
www.ExploitDevelopment.com 2010-M$-002
--------------------------------------------------------------------------
TITLE:
Flaw in Microsoft Domain Account Caching Allows Local Workstation
Admins to Temporarily Escalate Privileges and Login as Cached Domain
Admin Accounts
SUMMARY AND IMPACT:
All versions of Microsoft Windows operating systems allow real-time
>
> III. DESCRIPTION
> -------------------------
> An existing abuse of functionality in the "Check for mail using POP3"
> capability permits automated attacks to the password data of the
> accounts of the Gmail users evading the security measures adopted by
> Google.
>
> Gmail implements a great number of security controls and, most of them
> are not revealed until an attack is conducted or a malicious use of
> the account is done. For example:
III. DESCRIPTION
-------------------------
An existing abuse of functionality in the "Check for mail using POP3"
capability permits automated attacks to the password data of the
accounts of the Gmail users evading the security measures adopted by
Google.
Gmail implements a great number of security controls and, most of them
are not revealed until an attack is conducted or a malicious use of
the account is done. For example:
>Lee
>Sent: Monday, December 13, 2010 9:12 AM
>To: Thor (Hammer of God)
>Cc: George Carlson; bugtraq@securityfocus.com; full-
>disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>Cached Domain Admin Accounts (2010-M$-002)
>
>I hope I'm not just feeding the troll...
Everyone.
Please read my original post. I never claimed to gain access to
networked resources using the masqueraded account. My method merely
shows that you can modify the SAM and SECURITY hives without using DLL
injection or any other advanced technique that security Admins are
currently looking for when it comes to advanced persistent threats.
On Dec 13, 2010 11:54 AM, "Kurt Dillard" <kurtdillard@msn.com> wrote:
From: kattrap@gmail.com [mailto:kattrap@gmail.com] On Behalf Of Andrea Lee
Sent: Monday, December 13, 2010 2:12 PM
To: Thor (Hammer of God)
Cc: George Carlson; bugtraq@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching
Allows Local Workstation Admins to Temporarily Escalate Privileges and Login
as Cached Domain Admin Accounts (2010-M$-002)
I hope I'm not just feeding the troll...
To all,
The reason I wrote this article was not to explain how to create a hidden
user account. I wrote the article to show you that you can modify the SAM
in real time in a way that is undetectable by ANYONE. This modification
allows you to masquerade any user account as the built-in Administrator.
Christian,
"Continued Access" to a system means that someone has compromised a system
In whose universe? Did you even read the post? Local admins become LOCAL ADMINS by using a cached domain account who is a LOCAL ADMIN. You have to do it with the network cable unplugged. There is no privilege escalation here.
StenoPlasma's intent was to educate people on how things worked, and while there isn't a security issue here, he was completely correct in that you guys really need to learn what you are talking about.
t
>-----Original Message-----
>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
>bounces@lists.grok.org.uk] On Behalf Of jcoyle@winwholesale.com
>Sent: Friday, December 10, 2010 11:45 AM
>-----Original Message-----
>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
>bounces@lists.grok.org.uk] On Behalf Of George Carlson
>Sent: Friday, December 10, 2010 10:12 AM
>To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>Cached Domain Admin Accounts (2010-M$-002)
>
>Your objections are mostly true in a normal sense. However, it is not true
>when Group Policy is taken into account. Group Policies differentiate
>>-----Original Message-----
>>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
>>bounces@lists.grok.org.uk] On Behalf Of George Carlson
>>Sent: Friday, December 10, 2010 10:12 AM
>>To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>>Cached Domain Admin Accounts (2010-M$-002)
>>
>>Your objections are mostly true in a normal sense. However, it is not true
>>when Group Policy is taken into account. Group Policies differentiate
Hi!
>
> The reason I wrote this article was not to explain how to create a hidden
> user account. I wrote the article to show you that you can modify the SAM
> in real time in a way that is undetectable by ANYONE. This modification
> allows you to masquerade any user account as the built-in Administrator.
>
> Christian,
>
> "Continued Access" to a system means that someone has compromised a system
INACTIVE ACCOUNT HIJACKING
author: l0om
page: l0om.org
date: 02.05.2009
OVERVIEW:
I would like to draw your attention on a problem that is already known and is surely exploited for a long time, but clearly seems to be underestimated.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Default Credentials for Root Account on
Tandberg E, EX and C Series Endpoints
Advisory ID: cisco-sa-20110202-tandberg
Revision 1.0
Your objections are mostly true in a normal sense. However, it is not
true when Group Policy is taken into account. Group Policies
differentiate between local and Domain administrators and so this
vulnerability is problematic for shops that differentiate between
desktop support and AD support.
George Carlson
Sr. Network Engineer
(804) 423-7430
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco TelePresence System Integrator C Series and Cisco TelePresence EX Series Device Default Root Account Manufacturing Error
Advisory ID: cisco-sa-20111109-telepresence-c-ex-series
Revision 1.0
For Public Release 2011 November 9 16:00 UTC (GMT)
Administrative Access Using Hidden Regular User Masquerading After
Compromise
SUMMARY AND IMPACT:
All versions of Microsoft Windows allow real-time modifications to the
Security Accounts Manager (SAM) that enable an attacker to create a
hidden administrative backdoor account for continued access once a
system has been compromised. Once an attacker has compromised a
Microsoft Windows computer system using any method, they can either
leave behind a regular user or hijack a known user account (Such as
ASPNET). This user account will now have all of the rights of the
From: "Stefan Kanthak" <stefan.kanthak@nexgo.de>
To: <bugtraq@securityfocus.com>,
<full-disclosure@lists.grok.org.uk>
Cc: <stenoplasma@exploitdevelopment.com>
Date: 12/10/2010 01:08 PM
Subject: Re: Flaw in Microsoft Domain Account Caching Allows Local
Workstation Admins to Temporarily Escalate Privileges and Login
as Cached Domain Admin Accounts (2010-M$-002)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Default Credentials for root Account on the
Cisco Media Experience Engine 5600
Advisory ID: cisco-sa-20110601-mxe
Revision 1.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco IP Video Phone E20 Default Root Account
Advisory ID: cisco-sa-20120118-te
Revision 1.0
For Public Release 2012 January 18 16:00 UTC (GMT)
1) The ELBA application v5.4.1 listens on a remotely reachable port
that is used for network testing purposes. It uses java serialization
for its protocol without any encryption or authentication. This can be
abused to leak the username of a currently logged on user. Disclosed
usernames can be used in further attacks on different services and/or
ease bruteforcing of user accounts.
Furthermore, if ELBA receives an invalid serialized method name an
assertation fails and a message box with an attacker controlled value
is displayed and the user is forced to shut down the application. This
can be abused to disrupt the work of a user, or as a part of a social
engineering attack as it is possible to make the message box display a
PeopleSoft Enterprise applications architecture is built around the proprietary PeopleTools technology. PeopleTools user authentication mechanism requires a user to provide the correct credentials in order to gain access through the web interface. An account lockout policy disables a user account if an incorrect password is entered a specified number of times over a specified period.
Scope
Imperva’s Application Defense Center conducts extensive research on enterprise applications on behalf of its customers, including research on applications like PeopleSoft, SAP and Oracle EBS. During its research, the team has identified a security flaw related to PeopleTools authentication mechanism and account lock-out policy.
Findings
"StenoPlasma @ www.ExploitDevelopment.com" wrote:
Much ado about nothing!
> TITLE:
> Flaw in Microsoft Domain Account Caching Allows Local Workstation
> Admins to Temporarily Escalate Privileges and Login as Cached Domain
> Admin Accounts
There is NO privilege escalation. A local administrator is an admistrator
is an administrator...
Summary
=======
A vulnerability exists in some Cisco Secure Access Control System
(ACS) versions that could allow a remote, unauthenticated attacker to
change the password of any user account to any value without
providing the account's previous password. Successful exploitation
requires the user account to be defined on the internal identity
store.
This vulnerability does not allow an attacker to perform any other
----------
The vulnerability may be exploited on Studio if both of these
conditions apply:
- you have Studio 2.0
and
- you have created a user account with limited privileges (this is
not the default configuration).
Studio is by default shipped with the root user account and no other
user accounts. For this reason, exploitation of the vulnerability
would not yield any gain for an attacker since the attacker would
8.1 Introduction
Many past advisories have been published for Cute News. An unpatched LFI
exploit was published in January 2009.
Attackers without a registered account or with a comment level account
can exploit cross site scripting (XSS) to steal cookies from other
users, cross site request forgery (CSRF) vulnerability to execute
administrator functions including adding a new administrator account and
can exploit a file path disclosure vulnerability.
feature contains a privilege escalation vulnerability that may allow
an attacker to obtain complete administrative access to a vulnerable
Cisco Unified Communications Manager system. After an IP Phone PAB
Synchronizer client successfully authenticates to a Cisco Unified
Communications Manager device over a HTTPS connection, the Cisco
Unified Communications Manager returns credentials for a user account
that is used to manage the Cisco Unified Communications Manager
directory service. If an attacker is able to intercept the
credentials, they can perform unauthorized modifications to the Cisco
Unified Communications Manager configuration and extend their
privileges. The IP Phone PAB Synchronizer client has been redesigned
One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent (sudo rights). Rapid7 has developed a Metasploit module[***] to chain these vulnerabilities and will release this module in early March.
3. Remote Administration TTY Check Bypass
The appliance ships with a default login of admin/accellion. To reduce the risk of remote attack, this account is not allowed to login over Secure Shell. The implementation of this security check has a flaw and
it is still possible to configure an out-of-box Accellion appliance remotely through SSH, simply by executing a shell without a TTY: (ssh admin@target 'sh')
4. Static Passwords for Privileged User Accounts
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances. This security
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
Summary
=======
Customers who use the CiscoWorks Wireless LAN Solution Engine (WLSE) may use a
conversion utility to convert over to a Cisco Wireless Control System (WCS).
This conversion utility creates and uses administrative accounts with default
credentials. Because there is no requirement to change these credentials during
the conversion process, an attacker may be able to leverage the accounts that
have default credentials to take full administrative control of the WCS after
the conversion has been completed.
Next Page>>
|
