[13634] in bugtraq
Windows NT and account list leak ! A new SID usage
daemon@ATHENA.MIT.EDU (Pascal Longpre)
Tue Feb 1 16:16:17 2000
Message-Id: <20000201025724.2408.qmail@securityfocus.com>
Date: Tue, 1 Feb 2000 02:57:24 -0000
Reply-To: Pascal Longpre <longprep@HOTMAIL.COM>
From: Pascal Longpre <longprep@HOTMAIL.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This may not be new but I haven't seen it anywhere else so
here it is.
- Description -
It is possible to list the whole user list of a domain by
querying any workstation on that domain. Even if the domain
controller is hidden behind a firewall or has IP filtering
enabled, the list comes out gracefully since the
workstation forwards the query for you.
I suspect that this may even work on a workstation
connected to it's DC through a VPN but I haven't tested it
yet.
- Explanations -
The idea is to get the workstation to spit it's domain SID
with the LsaQueryInformationPolicy() function. Normally,
that fonction would require the "GENERIC_READ |
GENERIC_EXECUTE" access rights in order to work but I
discovered that by simply using the "MAXIMUM_ALLOWED"
access right it works through the good old null session.
- Exploitation -
I wrote a small program called "dom2sid" demonstrating
this. It should be available shortly on the securityfocus
free tools list. It returns the computer/domain names and
SIDs. You can then feed this to the popular sid2user tool
and get the whole user list.If both SIDs are equal, you
found a DC.
- Fix -
The "restrict anonymous" solution provided by Microsoft
doesn't help here. The only way I was able to stop this
behavior was to use a program called fixpol.exe. Don't ask
me where I found that one, I don't remember...
Enjoy !!
If this is old stuff, well just forget about this message !!
