Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Security Advisory: Integer Overflow in Active Directory (CVE-2020-1267)

On July 14, 2020 Patch Tuesday, Microsoft released a patch for CVE-2020-1267, an important vulnerability in the Active Directory (AD) identity store discovered by Preempt Research Labs. This discovered vulnerability in AD could lead to denial-of-service attacks against domains with unpatched domain controllers or, in the worst case, to a full domain compromise.

The vulnerability is an integer overflow that exists in both the NTLM and Kerberos parsing codes. It occurs when the parsing of a specially-crafted Privileged Attribute Certificate (PAC) structure leads to a heap overflow. Such an overflow can be used to create a denial-of-service attack, and could be exploited to remotely execute code. (We have yet not pursued this path).

The vulnerability was classified by Microsoft as a denial of service vulnerability with a CVSS score of 4.9.

Impact

We have discovered two scenarios where this vulnerability could be exploited. The first is by crafting a special Kerberos AP-REQ message, and the second by exploiting NTLM over inter-forest trusts to compromise a domain after a trusted forest has been compromised. Eyal Karni (the primary researcher working on this vulnerability) will soon release a detailed blog post with all the technical details for this vulnerability. For now, these are the scenarios where we exploited the vulnerability:

Kerberos Scenario

In this scenario we targeted an AD service that supports Kerberos authentication (SSPI), and we know its password. To exploit this vulnerability, we crafted a malicious PAC, and sent it in an AP-REQ message to the server. This is a similar scenario to a Silver Ticket attack, with a difference that we are not application dependent for the privilege escalation. Rather, the parsing of the PAC triggers a heap overflow vulnerability in the OS itself (lsass.exe process), for any service that uses Kerberos SSPI in the same manner.

Figure 1 – CVE-2020-1267 Kerberos Attack Flow

NTLM Scenario

The NTLM version of this vulnerability is exploitable in environments with inter-forest trusts. If attackers compromise a domain in one forest, they could access a domain controller from another forest and inject the malicious PAC in the NETLOGON pass-through authentication flow. In this scenario we created a PoC where we have crashed the lsass.exe process on the attacked domain controller. An attacker could also possibly use this vulnerability to remotely execute code on the attacked domain controller while bypassing the forest security boundaries.

Figure 2 – CVE-2020-1267 NTLM Attack Flow

Disclosure Timeline

Our research team discovered these security flaws in February, and have been in contact with Microsoft since then:

02/26/2020 – Heap overflow was disclosed to Microsoft Security Research Center (MSRC)

03/04/2020 – MSRC acknowledged the issue started working on a fix

06/17/2020 – MSRC updated Preempt research labs that vulnerability is assigned CVE-2020-1267, and will be fixed in July’s patch Tuesday

07/14/2020 – CVE-2020-1267 security update released

Summary

Windows authentication protocols (Kerberos, NTLM) are relatively old and have existed in the Windows code base for more than 20 years. Even though this code is an active target for attackers and defenders, it was not detected previously by fuzzing techniques. Authentication protocols are usually complex and difficult to fuzz since messages are encrypted and specific setups (passwords, trust objects, etc.) are required to effectively cover the entire code. This limitation allowed us to find a relatively simple integer overflow on a critical authentication server which was present for many years.

Read about other Preempt vulnerability discoveries in our Blog.

 

Topics: Active Directory, Domain Controller, Hacking, kerberos, Microsoft, NTLM,

Posted by Yaron Zinar on July 14, 2020 7:04 PM

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More

Developer

What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More

Events

A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More

Research

10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More