0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Group Policy Elevation of Privilege Vulnerability # Date: 08-08-2016 # Exploit Author: Nabeel Ahmed # Tested on: Windows 7 Professional (x32/x64) # CVE : CVE-2016-3223 # Category: Privilege Escalation SPECIAL CONFIG: Standard Domain Member configuration with valid credentials. (Standard Domain User with valid credentials) SUMMARY: This vulnerability allows an attacker to create/modify local Administrator account through a fake Domain Controller by creating User Configuration Group Policies. 1) Prerequisites: - Standard Windows 7 Fully patched and member of an existing domain. (e.g. domain.local) - Domain User Credentials are known with no Administrative rights. - Computer has to be connected on a network. - Fake Domain Controller 2) Reproduce: STEP 1: Determine domain of the target computer (e.g. domain.local) STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1) STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local). STEP 4: Create User with similar name and password as the target computer. (E.g. domain\USER1:password123!). STEP 5: Login on the target system with the known Username and Password without any network connection (using cached credentials). STEP 6: Establish network connection between the target system and the newly created Domain Controller. STEP 7: Create a Group Policy called "Create Local Admin" STEP 8: Edit the "Create Local Admin" Group Policy to create in the User Configuration section a new user called "TestAdmin" and add him to the group "Administrators". STEP 9: Open Command Prompt on the target system and execute the following command: "gpupdate /target:user /force" STEP 10: User Policy update will complete successfully. STEP 11: Confirm the newly created Administrator "TestAdmin" by executing the following command in Command Prompt: "net localgroup Administrators" STEP 12: "TestAdmin" user will be member of the Administrators group. 3) Impact: A regular Domain User can gain higher privileges on his system by creating a new administrator through Group Policies created on a fake Domain Controller 4) Solution: Install the latest patches from 14-06-2016 using Windows Update. 5) References: https://technet.microsoft.com/en-us/library/security/ms16-072.aspx https://support.microsoft.com/en-us/kb/3163622 6) Credits: Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com) # 0day.today [2024-07-07] #