Is The Userid Necessary For An Attack?

[Thibaud]

I found two security vulnerabilities in a friend's company and I'd like to do a responsible disclosure to that company so they fix it. For that, I need to know if it's possible to exploit the vulnerability and do an escalation of privilege so I can motivate my case for the disclosure. Here is the picture.

I found a vulnerability in one of the company's websites with which I can obtain user ids and passwords to access that website. But the website in itself doesn't provide much useful information to an attacker, it's not interesting, so the risk if the website is exploited is moderate.

What's most interesting, I know for a fact that the passwords to the website are synchronized with the passwords of the Windows users. That's to make it easier for users to remember their passwords; that's another security vulnerability. And the users have administrative privileges on their computers. And the risk if an account with administrative privileges is exploited is high as an attacker could penetrate the company's network. So both security vulnerabilities must be fixed.

The problem is the following. The user ids on the website are different than the user ids of the Windows accounts. That's the catch, the passwords are the same but the user ids are different.

My question is, supposing an attacker is on the same network as the target computer, can the attacker compromise the target computer knowing just the Windows administrative password (not the user id)? That's where my knowledge stops. I think the password alone is not enough, that the user id is necessary as well, but I bet it's possible to reveal user ids on Windows, I just don't know.

Any comments? Thank you.

[Infiltrator]

The attacker will still need to know what the userID is, in order to authenticate. However, there is one thing that the attacker could do, if he doesn't know what the password is but knows what the userID is, he could do what is called "pass the hash attack".

Watch this video, http://www.room362.com/blog/2009/8/26/pass-the-hash-metasploit-demo.html

[digip]

I think passwords are not even worth worrying about, if you gained access to the website, you should see if it can be pivoted from to gain access to the internal network, domain controller, etc. If you can gain admin access to the domain controller, then you could reset anyones passwords, add new users, stop services, etc. User password becomes irrelevant at that point.

You said your friend's company, but I take it hes an employee and not the owner, or you would have already disclosed it. Whatever you do, MAKE SURE YOU GET PERMISSION BEFORE TRYING TO BE THE GOOD SAMARITAN! You could put yourself in hot water with things like this and go to jail if they press charges. If they want a security assessment, they will hire someone. If you see a flaw in the web side, stop there and let them know what you found before attempting to go any further. You've already potentially broken the law, so cover your ass before trying to be helpful, some companies don't want the help and will press charges to the full extent of the law. Not what I would do to someone trying to help, but I am not them.

Edited May 3, 2012 by digip

[Thibaud]

Hi digip,

Thanks for your answers.

Yes, once in the website, an attacker could exploit other possible vulnerabilities and penetrate the company network even further.

Yes, I fear retaliation by the company. It's an old-school management. That's why I haven't tested the exploit myself and I'm keeping things theoretical. But I'm hoping there must be some younger people in the company that are into the modern practices of the 21st century and that will do something positive with the disclosure. I carry inspiration from Google's article on rebooting security.

[Thibaud]

Hi Infiltrator, thanks for the response, confirming my suspicion, and thanks for the link to the video, very nice.