Re: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

[Jason Lang <jllang320 () gmail com>]

So you are saying that the use can perform action on the domain?
Things like create/delete user accounts. Your initial statement does
not say anything about taking action on any network resources. I find
it hard to believe that would be the case because user would not have
a valid kerberos ticket because they did not log into the domain.

Jason Lang

From: jcoyle () winwholesale com
Date: Fri, 10 Dec 2010 14:44:35 -0500

You are completely missing the point..
Local admins become Domain Admins.





From:       "Stefan Kanthak" <stefan.kanthak () nexgo de>
To:         <bugtraq () securityfocus com>,
            <full-disclosure () lists grok org uk>
Cc:         <stenoplasma () exploitdevelopment com>
Date:       12/10/2010 01:08 PM
Subject:    Re: Flaw in Microsoft Domain Account Caching Allows Local
            Workstation Admins to Temporarily Escalate Privileges and Login
            as Cached Domain Admin Accounts (2010-M$-002)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/