Active Directory Mixed Object Access

Active Directory contains a bug which under very specific conditions, allows a a user to change information in the Active Directory that should not be changeable as long as the changes are combined in a particular way with other changes that involve attributes the user does have permission to modify.

According to Microsoft"s bulletin, "the vulnerability does not afford the malicious user an opportunity to modify all objects in a class - only the specific class objects for which he has permission to modify at least one attribute. Further, the vulnerability provides no capability to bypass normal authentication or Windows 2000 auditing, so administrators could determine if this vulnerability were being exploited, and by whom."

"For example, if Bob Jones has permission to modify the Last Name field in the Bob Jones employee object, this vulnerability could potentially allow him to also change an attribute in that object that he does not have permission to modify, such as his social security number."

"Windows 2000 allows you to audit all Active Directory actions, and this vulnerability does not provide any way to bypass normal auditing. However, it is important to note that the auditing subsystem would record the action as having failed with an "access denied" error, so an administrator would need to investigate more than just successful operations"

VENDOR RESPONSE

Microsoft issued a patch as well as Support Online article Q259401.

CREDITS
Discovered and reported by Sebastien Malbois