From: Rickard Berglind (rickbergBREDBAND.NET)
Date: Fri Apr 11 2003 - 04:14:20 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

PROBLEM:

Any domain administrator in the Windows 2000 Active Directory
forest can take over the Configuration partition and the
Schema partition.

By design control over the two globaly shared containers in
an Active Directory forest is restricted to the groups
Enterprise Admins and Schema Admins, which only exist in
the forest root domain.

By using a simple work-around this could be broken and
control over these important partitions can be taken by
any domain administrator in any domain in the forest.

The Schema Master role can be changed to any domain controller
in any child domain without the need for the Schema Admins group
in the forest root.
The schema can then be modified in any way and potentially be
destroyed by any local domain administrator.

The configuration container can be managed by any administrator
and he or she can create, delete and modify sites, subnets and
replication objects for any domain.
Any domain administrator can potentially change or destroy any
other domains possibility to replicate and by that break their
functionality.

Why this can be done depends on the standard ACL:s on the
Configuration and Schema naming contexts. By using the
Support Tool adsiedit you could observe that among Enterprise
Admins and Schema Admins you could also find the SYSTEM-account
having Full Control permissions.
Since these two partitons are shared, the database is hold on every
domain controller in the forest and by that any local SYSTEM-
account on any domain controller has these permissions.

So by logging in to a domain controller in any child domain
and starting the necessary tools under the SYSTEM context
this could easily be done.

Example:

C:\> net start "task scheduler"
C:\> at 10:15 /i cmd.exe (use one minute ahead in time)

In the new command prompt running as SYSTEM:

C:\> title SYSTEM
C:\> regsvr32 schmmgmt.dll
C:\> mmc

Then load the "Sites and Services" and the "AD schema"-snap-ins.
In "Sites and Services" you will be able to modify everything
in the replication topology, including modify other domains
replication objects, delete their site links, change the
properties for replication interval, move servers or rearrange
subnets to other sites.

You could also remove the Global Catalog role from any
server and promote others to this capability.

To take control over the enterprise schema use the Schema
snap-in and first right-click and choose "Change domain
controller". Set focus on your own DC and then use the
"Operation Master" on the same menu. See that your DC
is having focus and then change. If you would like to start
updating the schema choose the "The Schema may be modified"
check-box and then just wait for the database to be fully
synchronized.
The schema is then ready to be modified in any way you
would like.

POSSIBLE SOLUTION:

Modify or remove SYSTEM:s permissions on the ACL:s in the
Schema and Configuration partitions. This could however
create other unpredictable problems and should not be done
without extensive testing.

regards, Rickard Berglind

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:AdvisoriesNTBugtraq.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]