[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re : Group RID spoofing
From:       Paul Ashton <paul () ARGO ! DEMON ! CO ! UK>
Date:       1998-02-02 19:33:02
[Download RAW message or body]

At 19:38 30/01/98 , Ken Hoover wrote:
>  If possessing the RID of a group now allows an attacker to spoof
>themselves into that group, my suggestion is to make all the groups look
>more or less alike from the point of view of their RIDs on the network so
>that it's not possible to distinguish the "powerful" groups from the
>ordinary ones.  However, I'm ignorant on how the RID is created and what is
>it possible to deduce about the privileges and rights assigned to a group
>if an attacker has sniffed its RID and its name off of the network.

Here's an attack that I believe would defeat your obfuscation:

Spoof the return packet from the NetLogonSamLogon RPC to return
the attackers hostname and logon script name. The new logon
program would determine whether it was in the local administrators
group by virtue of being a member of the domain admins group
and, if so, do its dirty deeds.

Upon finishing the spoof program, you run the original logon script.

Run the spoof program on a net at random and wait until you hit
the jackpot.

Paul

[prev in list] [next in list] [prev in thread] [next in thread]