Bugtraq mailing list archives
Win2k directory services weakness
From: BugTraq <BugTraq () GAUSS FMPH UNIBA SK>
Date: Wed, 21 Feb 2001 12:04:08 +0100
Hello, we came across one security issue; which may be critical for large organizations planning to deploy Windows 2000 and Active Directory in one forest. Imagine that there is a forest with more than one domain. (Tree hierarchy does not matter in this situation.) Every domain has its own set of administrators. In Active directory there is one Configuration Container for the whole forest. So every domain controller has its own copy of Configuration Container and is able to change it and replicate changes to other domain controllers. The only obstruction for changing configuration are ACLs. But ACLs are checked on local system and if you somehow modify it to avoid this checking, you can modify this Container. How to do it ? It is just a matter of finding a place where ACL is checked and patching correspoding DLL to disable this check. We think the check is done in Directory Service Agent. So you can patch and replace it or add a patched version to original one running in the context of LSA - for how to run own code in the context of LSA, see pwdump2 <http://razor.bindview.com/tools/desc/pwdump2_readme.html> utility. What you need in this case is SeDebugPrivilege. Real issue is: if in this situation one of domain controllers is hacked, hacker can change links for Site Domain policy, where are stored paths for logon/logoff and startup/shutdown scripts. So run own codes on any other domain controller in forest. If you have large organization, every DC is then (almost) equally vulnerable; if a hacker beaks into one, he gets all. Did anyone thought about this issue, and have anyone any idea how to solve it ? Thank you. Michal Zeman, Pavol Mederly Comenius University, Bratislava, Slovakia
Current thread:
- Win2k directory services weakness BugTraq (Feb 21)
- <Possible follow-ups>
- Re: Win2k directory services weakness Anonymous (Feb 26)