Windows 2008 GPP exploit-vulnerability warning-the black bar safety net

2016-01-03T00:00:00
ID MYHACK58:62201670651
Type myhack58
Reporter 佚名
Modified 2016-01-03T00:00:00

Description

The test environment Windows 7 ordinary members of the domain Windows 2008 domain controller

The first deployment of the GPP, here my deployment strategy is to the domain members are added to a test user, the password is test123 ! Add a local user ! Then came the Group Policy Management ! Will the domain computers added to the authentication Group Policy object ! And then to a domain member win7 on this machine implementation gpupdate && net user ! Then you can access the \\tomato-dc\SYSVOL\tomato. com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups This directory below has a group. the xml file xml version="1.0" encoding="utf-8"?& gt; Groups clsid="{3125E937-EB16-4b4c-9 9 3 4-544FC6D24D26}">User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="test" image="2" changed="2015-08-14 1 7:2 1:1 5" uid="{149655A8-CC7E-4A49-8A3C-403D1615AF63}"> Properties action="U" newName="" fullName="" description="" cpassword="aUcBkzsNN7W1N3eM/JmKvw" changeLogon="1" noChange="0" neverExpires="0" acctDisabled="0" userName="test"/>/User> /Groups> It stores the add a user account password. Wherein the password is AES encrypted, but Microsoft put the decryption of the private key written on the documents inside the result can decrypt the password. In addition to this place there is the account password, the following path may also exist Services\Services.xml

ScheduledTasks\ScheduledTasks.xml

Printers\Printers.xml

Drives\Drives.xml

DataSources\DataSources.xml Get the encrypted password, we use a script to decrypt ! Or using powershell script 脚本 见 附件 gpp-exploit.zip Defense You can directly set the xml to read the permissions, so as to prevent malicious read