Windows 2000 SIDHistory Escalation Attack

From: James Barrett (jimb@LUCENT.COM)
Date: 02/20/02


Date:         Wed, 20 Feb 2002 13:23:42 -0500
From: James Barrett <jimb@LUCENT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Russ,

I know that this topic was brought up a few weeks ago, but we have been
doing some research internally on this issue and have reached some
disturbing conclusions.

First of all, when Microsoft introduced the Windows 2000 domains within
a forest structure, the domains were introduced as security and
replication boundaries. If you had a situation where you needed to keep
two divisions of your company completely separate from each other, you
could create two domains. Each division could have complete control
over their domain and not be able to affect the other. Since they are
all part of the same forest, they are able to share a common global
catalog, and more importantly a common Exchange 2000 address book. This
understanding has been the basis for Windows 2000 designs for the past
two years.

Now, Aelita Software has identified a bug that affects this model.
Specifically, if you are an administrator for Domain A, and you have a
means of modifying the SIDHistory attribute, you could insert the SID
from Domain B's Domain Administrator account into yours. This would
then give you Administrative level access to Domain B and violate the
security barrier. The original whitepaper from Aelita can be found at
http://www.aelita.com/solutions/ADSecurity/SIDH_implications.htm
<http://www.aelita.com/solutions/ADSecurity/SIDH_implications.htm> .

Microsoft issued a response and an analysis of the problem in MS02-001.
Basically, they acknowledged it was a problem but decided it was not too
severe. They did release a patch to prevent the SIDHistory value from
being read, but it cannot be used between domains within the same forest
as it would break replication. Their analysis was that it would be very
difficult to manipulate the SIDHistory value. Their recommendation was
that if this issue was a problem, separate forests should be considered.

This is not a very good answer for a couple of reasons. First of all,
most of the third part tool vendors have methods of manipulating the
SIDHistory value as part of their migration suites. This proves that it
can be done, so it is only a matter of time before a program is
developed to do this. Secondly, Windows 2000 security permits
authenticated users of one domain to do an LDAP query to another domain
to obtain the SID of any object. This makes it trivial to both locate
an administrative SID and add it to a local user account. Microsoft's
suggestion of multiple forests makes things such as global email
directories and global catalogs difficult to implement. NetWare does
not have this kind of privilege escalation problem and neither should
Windows.

I recommend that the community push Microsoft to develop a means of
disabling the SIDHistory between domains in a forest such that it does
not affect replication and other things. Windows 2000 forests should be
able to have domains that can be secured from each other. If Microsoft
chooses not to do this, this represents a significant issue in designing
a flexible Windows 2000 infrastructure.

Thanks

Jim Barrett

Jim Barrett, CISA, CCNP, MCSE, MCT
Senior Consultant
Microsoft Consulting Practice
Lucent Technologies ESS
781-848-5500 ext. 445
 <mailto:jimb@lucent.com> mailto:jimb@lucent.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by VeriSign - The Internet Trust Company
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094765650008000
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



Relevant Pages

  • Re: root forest AD DC crashed
    ... it is another forest root domain. ... Setup trusts (if an external trust is configured and sidhistory is used, ... Install and configure migration tooling ... Translate security of the data/resources from source security ...
    (microsoft.public.win2000.active_directory)
  • RE: Windows 2000 password policy
    ... I agree that from what we know now, the true security boundary for W2K ... and W2K3 is the Forest, however, in the context of the question, ... password policy is set at the domain level not the forest level, ... > because Windows 2000 had to maintain backward compatibility with NT ...
    (Focus-Microsoft)
  • Forest to Forest problem
    ... I know that this isn't a Windows XP Security problem (it's ... You have Forest A and Forest B. Both Forests are running ... Mixed Mode because both have NT domain controllers. ...
    (microsoft.public.windowsxp.security_admin)
  • 130 domains in Windows 2003 forest.
    ... for Windows 2003 but because of many security and political issues we ... might be forced to migrate and create 130 NT 4.0 individual domains ... into brand new Windows 2003 forest. ...
    (microsoft.public.windows.server.migration)
  • Inter Forest Migration
    ... Can someone confirm if SidHistory works in the scenario of a Interforest ... forest) to companycorp.com (Windows 2003 forest)? ...
    (microsoft.public.windows.server.active_directory)