Security Advisory: Integer Overflow in Active Directory (CVE-2020-1267)
On July 14, 2020 Patch Tuesday, Microsoft released a patch for CVE-2020-1267, an important vulnerability in the Active Directory (AD) identity store discovered by Preempt Research Labs. This discovered vulnerability in AD could lead to denial-of-service attacks against domains with unpatched domain controllers or, in the worst case, to a full domain compromise.
The vulnerability is an integer overflow that exists in both the NTLM and Kerberos parsing codes. It occurs when the parsing of a specially-crafted Privileged Attribute Certificate (PAC) structure leads to a heap overflow. Such an overflow can be used to create a denial-of-service attack, and could be exploited to remotely execute code. (We have yet not pursued this path).
The vulnerability was classified by Microsoft as a denial of service vulnerability with a CVSS score of 4.9.
We have discovered two scenarios where this vulnerability could be exploited. The first is by crafting a special Kerberos AP-REQ message, and the second by exploiting NTLM over inter-forest trusts to compromise a domain after a trusted forest has been compromised. Eyal Karni (the primary researcher working on this vulnerability) will soon release a detailed blog post with all the technical details for this vulnerability. For now, these are the scenarios where we exploited the vulnerability:
In this scenario we targeted an AD service that supports Kerberos authentication (SSPI), and we know its password. To exploit this vulnerability, we crafted a malicious PAC, and sent it in an AP-REQ message to the server. This is a similar scenario to a Silver Ticket attack, with a difference that we are not application dependent for the privilege escalation. Rather, the parsing of the PAC triggers a heap overflow vulnerability in the OS itself (lsass.exe process), for any service that uses Kerberos SSPI in the same manner.
Figure 1 – CVE-2020-1267 Kerberos Attack Flow
The NTLM version of this vulnerability is exploitable in environments with inter-forest trusts. If attackers compromise a domain in one forest, they could access a domain controller from another forest and inject the malicious PAC in the NETLOGON pass-through authentication flow. In this scenario we created a PoC where we have crashed the lsass.exe process on the attacked domain controller. An attacker could also possibly use this vulnerability to remotely execute code on the attacked domain controller while bypassing the forest security boundaries.
Figure 2 – CVE-2020-1267 NTLM Attack Flow
Our research team discovered these security flaws in February, and have been in contact with Microsoft since then:
02/26/2020 – Heap overflow was disclosed to Microsoft Security Research Center (MSRC)
03/04/2020 – MSRC acknowledged the issue started working on a fix
06/17/2020 – MSRC updated Preempt research labs that vulnerability is assigned CVE-2020-1267, and will be fixed in July’s patch Tuesday
07/14/2020 – CVE-2020-1267 security update released
Windows authentication protocols (Kerberos, NTLM) are relatively old and have existed in the Windows code base for more than 20 years. Even though this code is an active target for attackers and defenders, it was not detected previously by fuzzing techniques. Authentication protocols are usually complex and difficult to fuzz since messages are encrypted and specific setups (passwords, trust objects, etc.) are required to effectively cover the entire code. This limitation allowed us to find a relatively simple integer overflow on a critical authentication server which was present for many years.
Read about other Preempt vulnerability discoveries in our Blog.
Posted by Yaron Zinar on July 14, 2020 7:04 PM