Next Page >>
admin
>Sent: Monday, December 13, 2010 9:12 AM
>To: Thor (Hammer of God)
>Cc: George Carlson; bugtraq@securityfocus.com; full-
>disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>Cached Domain Admin Accounts (2010-M$-002)
>
>I hope I'm not just feeding the troll...
No, you are perpetuating inaccurate vulnerability claims.
So far I agree with Thor. Did I miss something? Has anyone demonstrated
using the locally cached credentials to access resources across the network?
So far I haven't seen anything new or interesting in this thread:
1. StenoPlasma claims that a local admin can access and reuse the cached
credentials of other users.
2. Stefan, Thor, et al yawn.
3. Joyce, Andrea, and perhaps others seem to be conflating local access
(what StenoPlasma was talking about) with gaining domain admin privileges on
domain controllers and other resources on separate machines (which nobody
Everyone.
Please read my original post. I never claimed to gain access to
networked resources using the masqueraded account. My method merely
shows that you can modify the SAM and SECURITY hives without using DLL
injection or any other advanced technique that security Admins are
currently looking for when it comes to advanced persistent threats.
On Dec 13, 2010 11:54 AM, "Kurt Dillard" <kurtdillard@msn.com> wrote:
> So far I agree with Thor. Did I miss something? Has anyone demonstrated
I hope I'm not just feeding the troll...
A local admin is an admin on one system. The domain admin is an admin
on all systems in the domain, including mission critical Windows
servers. With temporary domain admin privs, the local admin could log
into the AD and change permissions / passwords for another user or
another user, thus getting full admin rights on all systems for a long
period of time. Plus whatever havoc might be caused by having the
ability to change rights on fileshares to allow the new domain admin
to see confidential files..
# ACP path
if( !$this->p_acp )
{
# If the user changed the ACP directory, we can
# find it (if the "Remove ACP Link" option was not
# applied) by log in as an Admin, and then click
# on "Admin CP". This can be done with a user
# but I didn't implemented that ;)
$this->msg('Using default ACP path: admin', 1);
$this->p_acp = 'admin';
}
MustLive wrote:
> Hello Susan!
>
> If Microsoft did it, than it's good. But better for my opinion to do
> such as
> in Windows XP Professional - not to disable admin account by default,
> but to
> make password of default admin account similar to password of first admin
> (during installation process). Because if default admin account will be
> enabled later (with empty password) and will forget to set new password,
> than it'll be much worse.
Hello Susan!
If Microsoft did it, than it's good. But better for my opinion to do such as
in Windows XP Professional - not to disable admin account by default, but to
make password of default admin account similar to password of first admin
(during installation process). Because if default admin account will be
enabled later (with empty password) and will forget to set new password,
than it'll be much worse.
I'm not using Vista, so I can't check this issue on any of my computers. And
No. You just made a complete fool of yourself.-P
Read the initial post again.
CAREFULLY.
Especially that part about unplugging from the network.
> A local admin is an admin on one system. The domain admin is an admin
> on all systems in the domain, including mission critical Windows
> servers.
Correct so far.
Document ID: ASPR #2009-01-27-1-PUB
Vendor: ORACLE (http://www.oracle.com)
Target: Oracle WebLogic Server 10.0
Impact: There is an HTML Injection vulnerability in WebLogic
Server 10 Administration Console that allows the
attacker to gain administrative access to the server.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Sasa Kos of ACROS Security
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Wordpress <= 2.6.1
Severity: MySQL column truncation allows resetting the passwords of
wordpress users to random strings. Combined with weaknesses
in PHP's PRNG this allows determining the admin password.
Risk: High
Vendor Status: Vendor has released Wordpress 2.6.2 which fixes this issue
Reference: http://www.sektioneins.de/advisories/SE-2008-05.txt
http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
On 2010-12-13 Andrea Lee wrote:
> A local admin is an admin on one system. The domain admin is an admin
> on all systems in the domain, including mission critical Windows
> servers. With temporary domain admin privs, the local admin could log
> into the AD and change permissions / passwords for another user or
> another user, thus getting full admin rights on all systems for a long
> period of time.
Can he? The OP isn't too clear about this, but it was my understanding,
that the local admin can impersonate the cached domain account on the
Document ID: ASPR #2008-03-11-1-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
Impact: There is an HTML Injection vulnerability in WebLogic
Server 10 Administration Console that allows the
attacker to gain administrative access to the server.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Sasa Kos and Mitja Kolsek of ACROS Security
exploit was published in January 2009.
Attackers without a registered account or with a comment level account
can exploit cross site scripting (XSS) to steal cookies from other
users, cross site request forgery (CSRF) vulnerability to execute
administrator functions including adding a new administrator account and
can exploit a file path disclosure vulnerability.
Attackers with an administrator account, possibly gained by using the
exploits described above can exploit local file inclusion and command
execution vulnerabilities to execute arbitrary commands. Journalist and
If an admin who doesn't follow bugtraq doesn't know about the issue it's
not full disclosure to him. It's like when you hear about a "known
issue" from Microsoft. If I didn't know about it, how in the heck is
it a known issue? Just because someone in Redmond knows about it
doesn't mean the rest of us do.
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
Application: WinCom LPD Total - Line Printer Daemon
http://clientsoftware.com.au/lpd.html
Versions: <= 3.0.2.623
Platforms: Windows
Bugs: A] buffer-overflow in control filename
B] remote administration bypassing
C] integer memcpy crash in remote administration
D] buffer-overflow in remote administration
Exploitation: remote
Date: 04 Feb 2008
Author: Luigi Auriemma
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
It has two levels of security, a user level and an admin level. Login is
required but it can be configured to allow anyone to obtain a user level
account if desired.
Summary
=======
Unified Contact Center and Intelligent Contact Management products
contain a vulnerability that may result in unauthorized access to the
web-based reporting and script monitoring tool (Web View) and the
web-based configuration tool (Web Admin).
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20071017-IPCC.shtml.
Affected Products
www.ExploitDevelopment.com 2010-M$-002
--------------------------------------------------------------------------
TITLE:
Flaw in Microsoft Domain Account Caching Allows Local Workstation
Admins to Temporarily Escalate Privileges and Login as Cached Domain
Admin Accounts
SUMMARY AND IMPACT:
All versions of Microsoft Windows operating systems allow real-time
modifications to the Active Directory cached accounts listing stored
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Oracle GlassFish Server Administration Console Authentication Bypass
1. *Advisory Information*
Title: Oracle GlassFish Server Administration Console Authentication Bypass
Document ID: ASPR #2009-10-30-1-PUB
Vendor: Oracle (http://www.oracle.com)
Target: Oracle WebLogic Server 10.3
Impact: There is an HTML Injection vulnerability in WebLogic
Server 10.3 Administration Console that allows the
attacker to gain administrative access to the server.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Luka Treiber of ACROS Security
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic
Administration Console
=========================================================================
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
%>
<head>
<meta http-equiv="content-type" content="text/html;
charset=iso-8859-1"/>
@@ -45,7 +47,7 @@
<title>Sessions Administration: details for <%= currentSessionId
%></title>
</head>
<body>
- -<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
around the world."
"AMG-2000 is an AP Management Gateway dedicatedly designed for small to
medium-sized network deployment and management, making it an ideal solution
for easily creating and extending WLANs in SMB offices. With its user
management features, administrators will be able to manage the whole process
of wireless network access. In addition, Access Point (AP) management
functions allow administrators to discover, configure, update, and monitor all
managed APs from a single secured interface, and from there, gain full control
of entire wireless network."
Microsoft agrees with you which is why they disable the admin account by
default in Vista.
MustLive wrote:
> Hello!
>
> Just came to securityfocus.com and found that there are some answers
> on my post about Insufficient Authentication vulnerability in Acer
> notebooks.
>
username: '
password: test
An unrecoverable error has occurred.
Please report this message to your system administrator.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
Exit
©2006 Trivantis Corporation. Trivantis and CourseMill are registered trademarks of Trivantis. All Rights Reserved.
EXPLOITATION:
Although the original request is a POST, we can convert it to a GET,
so that all posted parameters can be submitted on a single URL. For
example, the previous POST request can be converted to a URL such as
the following:
http://admin:admin@192.168.1.1/setup.cgi?mtenRestore=Restore+Factory+Defaults&todo=defaultsettings&this_file=Factorydefaults.htm&next_file=index.htm&message=
By forging administrative requests (Administration button on the
router's HTML menu), an attacker can compromise the router provided
the victim user visits a malicious URL or HTML page (which makes a
request to such malicious URL). The attack can only be successful if
Wow. I guess you didn't read the post either. I'm a bit surprised that a Sr. Network Engineer thinks that Group Policies "differentiate between local and Domain administrators." You're making it sound like you think Group Policy application has some "magic permissions" or something, or that a "domain administrator" is a "bigger" administrator than the local administrator.
Group Policy loads from the client via the Group Policy Client service. If I'm a local admin, I can just set my local system to not process group policy via the GPExtensions hive. Done. If I take the domain admin out of my local administrators, they can't do anything. Done.
How exactly do you think this is problematic for "shops that differentiate between desktop support and AD support"? (whatever that means).
t
>-----Original Message-----
>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
Introduction:
=============
The SonicWall NSA 4500 product has a MAC spoofing protection option that can be activated in wireless networks per ESSID basis. This protection will not work if the acces point is a Sonicpoint. No warning or notice is presented to the administrator, wich means that protection will be active but not working. This vulnerability has been detected while pentesting a customer WIFI deployment with that configuration: SonicWall NSA 4500 + SonicWall Sonicpoints.
Report-Timeline:
================
2011-09-26: Vendor Notification
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
IronPort Encryption Appliance devices contain two vulnerabilities
that could allow unauthorized users to gain access to the IronPort
Encryption Appliance administration interface and modify other users'
Next Page>>
|
