MS14-025 caused by the problem-1

windows2008 There is a Group Policy preference (set Preference) New features. This feature makes it easy for administrators to deploy policies throughout the domain. This article details some of the pitfalls of this Group Policy preference. In particular, when the issued policy contains the user name and authentication information, an ordinary user can pass this information or the account password in the strategy, This allows you to elevate your privileges and even control other computers within the domain.

Group Policy preferences allow domain administrators to push various policies to computers within the domain. For example, when logging in automatically map the network hard disk, update the password of the built-in Administrator account, modify the registry, start the program, create new users and so on.

More details on how to create a deployment strategy. Here is a policy that updates the Administrator administrator account. For example, is an XML file.

You can see that the content of this strategy is to rename the Administrator account to Locadm. The password is a Cpassword field and is encrypted.

After a Group Policy preference is deployed on a domain member, such as when a Win7 machine deploys the policy to update the default account, a directory of "C:\Users\All Users\microsoft\group policy\history" is created automatically. The policy XML file after deployment is saved here. In this example, the path is:

C:\Users\All? Users\microsoft\group? Policy\history{a1c0c41b-d2f8-401b-a5d1-437da197a809}\machine\preferences\groups\groups.xml

Any logged-on user has read access to this file:

The key problem is that the password is encrypted, but it can be cracked! It uses 256-bit AES encryption, the 32-byte key is written in the document by Microsoft ....

The?32-byte? Aes?key?is?as?follows:4e?99?06?e8?? Fc?b6?6c?c9?? Fa?f4?93?10?? 62?0f?fe?e8f4?96?e8?06?? Cc?05?79?90?? 20?9b?09?a4?? 33?b6?6c?1b

So any user who touches this file can easily decipher the password in the configuration file.

While Group Policy preferences are typically applied in larger domains, policies such as changing the default password are generally issued for multiple computers. So the account that was obtained in the policy may be equally valid on other computers.

The configuration file for Group Policy preferences is issued through the SMB protocol, and the content is not encrypted. This results in the ability to listen for traffic or configuration information to get the account password. The XML configuration file is obtained from network traffic:

Tool use

The tool is relatively simple and the decrypted string is written in the program:

via labs.portcullis.co.uk translation finishing:[email protected]

MS14-025 caused by the problem-1