Re: trusting domain vulnerability - sid privilege elevation attack for 2003 domains

From: Laura A. Robinson [MVP] (geekwench_at_snippit.hotmail.com)
Date: 01/08/04 

Date: Thu, 8 Jan 2004 14:24:27 -0500

In article <eX8zWoBzDHA.2408@tk2msftngp13.phx.gbl>, reddsoda@hotmail.com
says...
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-001.asp
>
> Is an Active Directory 2003 domain vulnerable to this attack still? Is sid
> filtering turned on by default in 2003?
>
>
SID filtering absolutely cannot be turned on as a default setting. It
breaks forest functionality. However, the API that allowed exploiting of
this vulnerability was modified in SP2 for Windows 2000 and I don't yet
know of a new mechanism to modify the authorization data with the
exception of what is listed in the very article you list:

"Windows 2000 does provide a mechanism for introducing additional SIDs
into authorization data, known as SIDHistory. However, there is no
programming interface that would allow an attacker – even with
administrative rights – to introduce a desired SID into the SIDHistory
information; instead, an attacker would need to perform a binary edit of
the data structures that hold the SIDHistory information. "

Note that at one point, the above statement was untrue in that prior to
SP2, there was an API that could be exploited. To the best of my
knowledge, that exploit was never released in the wild, and I'm not even
sure how many people even knew of its existence.

So, to answer your question, Windows Server 2003 is not vulnerable to
the exploit I mentioned, nor is Windows 2000 once you apply the Security
Rollup mentioned in the article. Again, however, SID filtering is *not*
the method of choice for dealing with the scenario, due to the fact that
it will cripple a tremendous amount of functionality. You would only use
SID filtering against a suspect domain in a trusted forest, not against
a domain in your own forest.

Laura

Relevant Pages