Microsoft Issues Warning About Domain Trusts
- By Scott Bekker
- January 31, 2002
Microsoft Corp. warned Wednesday night of a serious-sounding privilege elevation vulnerability involving trust relationships between domains in both Windows NT 4.0 and Windows 2000.
Myriad hurdles in the way of exploiting the vulnerability make it a long shot for any attacker to actually exploit, according to Microsoft.
The company rated the vulnerability as moderate for intranets and low over the Internet.
The problem involves the way Microsoft domains trust one another. Microsoft uses the term trusting domain and trusted domain in defining the relationships between domains. The trusting domain accepts users or groups from the trusted domain to access the trusting domain's resources. Domains use Security Identifiers (SIDs) to check what resources a user or group can access.
But trusting domains currently fail to check if the trusted domain is supplying only SIDs that it is authorized to supply. If a user could somehow spoof another user's SID into his own profile, he could access resources on the trusting domain he should not have access to.
"We need to be very clear that there is a vulnerability, but with that said, it has some very significant barriers to being exploited under most conditions," says Scott Culp, manager of Microsoft's Security Response Center.
The major hurdle, in Microsoft's view, is that the user must be a domain administrator, a.k.a. the top-level administrator, in the trusted domain.
"That's a significant compromise right there, having a bad guy as a domain administrator," Culp says.
Further, the trust relationship between domains must already be established. Finally, the domain administrator must also possess extraordinary technical and programming skill to exploit the vulnerability.
"There is no built-in, easy-to-use interface by which somebody could change the SID information," Culp says. "You'd have to have a system administrator who also happens to be deeply versed in the low-level architecture of Windows and has the developer skills to build new operating system code," Culp says.
Russ Cooper, moderator of the NTBugTraq security mailing list, agrees that the group of domain administrators with such a specific and sophisticated skillset is extremely low, probably less than 1 percent.
"That number rises dramatically the moment some idiot releases a tool to do it," Cooper warns.
Routes to exploit the vulnerability are obscure, and each is full of challenges. A Microsoft technical white paper on the subject lists three potential approaches.
One requires the domain administrator in the trusted domain to already have the password for a domain administrator in the trusting domain. "If the attacker has access to such an account, they could easily use it to accomplish their ultimate goal, rather than carry out an attack to achieve the goal," Microsoft writes, dismissing the usefulness of that approach.
The other two approaches involve physical access to the domain controller to run a disk editor or attach a debugger. Both approaches present additional hurdles.
There is a patch, but it presents administrators with a difficult choice. Either leave their systems open to a difficult-to-exploit but potentially severe vulnerability, or limit the usefulness of their systems.
Microsoft created a tool called SID Filtering that protects against the vulnerability. But SID Filtering disables the use of the SID History tool that is essential for many organizations migrating from Windows NT 4.0 to Windows 2000 domains and stops Universal Groups from functioning.
Microsoft's technical white paper is designed partly to help administrators decide whether or not to use the patch. The white paper also includes advice for architectural and administrative changes to limit the potential damage of the vulnerability without using SID Filtering.
Cooper says the vulnerability is important in several real-world scenarios.
"It's an internal attack so it's the kind of thing that somebody performing espionage might be able to pull off. Or somebody who is inside an organization who wants to get access to information that's on the other side of an organization," Cooper says. "I think that the more domains there are in an organization, the more trust relationships that exist in an organization, the more likely this type of thing would be."
Culp says Microsoft knows of no cases where the vulnerability has been exploited to compromise production environments.
The vulnerability was brought to Microsoft's attention by Aelita Software and Michel Trepanier of CMT Inc. and Loto-Quebec.
The Security Bulletin is available here:
The technical white paper can be found here:
Scott Bekker is editor in chief of Redmond Channel Partner magazine.