Vigil@nce - Windows: authentication via Kerberos pass-the-ticket
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker having physical access to the network and a Windows
client can authenticate under an other user.
Severity: 2/4
Creation date: 13/08/2010
DESCRIPTION OF THE VULNERABILITY
The Kerberos protocol uses several exchanges, in order to deliver
a ticket to a client. This ticket allows for example to login.
Windows implements a simplified version of this protocol.
An attacker located in the network between a workstation and its
AD domain controller can capture an authentication session. He
thus obtains a valid ticket.
The attacker can then physically connect to the workstation. He
uses the captured login and a random password. The workstation
will contact the AD but the exchange is intercepted by the
attacker machine who returns the previously captured ticket. The
workstation decipher the message considering it as valid and
allows access to the attacker.
An attacker having physical access to the network and a Windows
client can therefore authenticate under an other user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-authentication-via-Kerberos-pass-the-ticket-9848