I was the one who told you the story, and it was over 3 years back. I was only compromised once - then we rearranged how the backup agent worked... I'll also never let the admin who did it to me live it down (hi, BI).

This issue has been discussed in public _numerous_ times, and this is why I would urge people not to overuse the phrase 'advisory'. Perhaps I'm just tinkering with semantics, but an 'advisory' means something that is new. This isn't even remotely new. Not only can you do this by tinkering with the registry, but (drum roll please)
************************************************
you can do this with documented user interfaces!
************************************************
You can change the binary path to an executable with sc.exe. You can also do it with control panel, services (or Win2k control panel, admin tools, services). If this was such a scary, big deal that we need an advisory over it, then why would there be a documented UI?!?

We've had numerous discussions about whether storing the passwords to service accounts in the LSA is a problem - the answer is that a local admin can achieve the SAME result simply by changing the service binary to something else. Local admins have that right. They can also insert threads into services and get them to do things without disturbing the service (lsadump2, pwdump2, and others do this).

None of this constitutes a vulnerability. Local admins have the right to change the way the operating system behaves - period. If you have the least doubt on this matter, I'd suggest that you review some of Greg Hoglund's posts to this list.

What it DOES bring up is the matter of properly managing security, which Russ alludes to. Take it as a GIVEN that any admin on any system can cause code to execute under the context of any other user who logs on either locally or as a service. If your network is set up such that this means that any regular user can instantly become domain admin, then you're not managing security properly.

-----Original Message-----
From: Russ [mailto:Russ.CooperRC.ON.CA]
Sent: Friday, April 20, 2001 7:41 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: Potential ability to elevate privileges from Windows NT/2000 workstation/server

It should be pointed out that anyone with local Admin privileges on a box
that has a Domain Account-based service running can easily run l0phtcrack,
or some similar tool, against their own SAM and determine the password of
the service account that way. They can, then, use that account information
to do other things (like not having to use Srvany to launch a service of
their choice).

It reminds me of a story someone once told me of how a machine he had kept
getting compromised by fellow co-workers, they all had the same Backup agent
software using the identical userID on all machines within a domain...;-]
That story is almost 3 years old now.

The technique Tony describes is a little more interesting, but is just
another manifestation of the problems blindly giving Local Admin access
create.

Cheers,
Russ

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]