CVE-2002-0018 in Windows
Summary
by MITRE
In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/23/2025
This vulnerability exists in Microsoft Windows NT and Windows 2000 operating systems where domain trust relationships are established between different Active Directory domains. The flaw resides in the Kerberos authentication protocol implementation and the security descriptor validation process that occurs during cross-domain authentication. When a trusting domain receives authorization information from a trusted domain, it fails to properly validate that the trusted domain has legitimate authority over all the Security Identifiers (SIDs) included in the authorization data. This validation failure creates a trust relationship exploitation vector that allows malicious actors to manipulate authentication tokens and inject SIDs from untrusted domains into the trusted domain's authorization context.
The technical exploitation of this vulnerability occurs through a process known as SID hijacking or token manipulation within the Kerberos authentication framework. Attackers can craft specially formatted authorization data that includes SIDs from untrusted domains and inject this data into the authentication flow between trusted and trusting domains. This manipulation exploits the lack of proper SID validation mechanisms that should verify domain ownership and authorization scope for each SID in the token. The vulnerability is classified as a trust relationship exploitation issue and maps to CWE-287 which addresses improper authentication mechanisms in security protocols.
The operational impact of this vulnerability is severe as it allows remote attackers to escalate privileges from standard user accounts to Domain Administrator level access within the trusting domain. This privilege escalation occurs without requiring direct system access or knowledge of user credentials, making it particularly dangerous in enterprise environments where domain trust relationships are common. Once successfully exploited, attackers can gain complete control over the trusting domain's resources, including access to sensitive data, user accounts, and system configurations. The vulnerability affects the core authentication infrastructure and undermines the fundamental security model of Active Directory trust relationships.
Organizations should implement multiple layers of defense to mitigate this vulnerability. The primary mitigation involves ensuring that all domain trust relationships are properly configured with appropriate trust types and that domain controllers are updated with the latest security patches from Microsoft. Network segmentation and monitoring should be implemented to detect unusual authentication patterns and SID injection attempts. Additionally, administrators should regularly review and validate domain trust relationships, ensuring that only authorized domains maintain trust relationships. This vulnerability aligns with several ATT&CK techniques including T1078 for valid accounts and T1550 for use of stolen credentials, making it a critical target for both preventive and detective security controls. The vulnerability also highlights the importance of proper security protocol implementation and validation of authentication data integrity in distributed network environments.