Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Security Advisory: Zerologon (CVE-2020-1472) – An Unauthenticated Privilege Escalation to Full Domain Privileges

AuthorsMarina Simakov and Yaron Zinar

On August 11th Microsoft released a security update including a patch for a critical vulnerability in the NETLOGON protocol (CVE-2020-1472) discovered by Secura researchers. Since no initial technical details were published, the CVE in the security update failed to receive much attention, even though it received a maximum CVSS score of 10. After analyzing the vulnerability white paper and the exploit that was released, we believe this is the most critical Active Directory vulnerability discovered this year. Its severity is equivalent to that of MS-14-068 (Forged-PAC). This vulnerability allows an unauthenticated attacker with network access to a domain controller, to establish a vulnerable Netlogon session and eventually gain domain administrator privileges. The vulnerability is especially severe since the only requirement for a successful exploit is the ability to establish a connection with a domain controller.

Technical Details Overview

The core of the vulnerability lies in a poor implementation of the ComputeNetlogonCredential call of the Netlogon Remote Protocol (MS-NRPC). The ComputeNetlogonCredential takes an 8-byte challenge as an input, performs a cryptographic transformation using a session key (which proves knowledge of the computer secret), and outputs an 8-byte result. The issue lies in an implementation flaw in the newer method AES-CFB8 (which is also the only one allowed in newer Windows versions) which is used to perform this transformation. 

In order to use AES-CFB8 securely, a random initialization vector (IV) needs to be generated for every plaintext to be encrypted using the same key. However, the ComputeNetlogonCredential function sets the IV to a fixed value of 16 zero bytes. This results in a cryptographic flaw in which encryption of 8-bytes of zeros could yield a ciphertext of zeros with a probability of 1 in 256. Another implementation issue which allows this attack is that unencrypted Netlogon sessions aren’t rejected by servers (by default). The combination of these two flaws could allow an attacker to completely compromise the authentication, and thus to impersonate a server of their choice. 

For a detailed and informative explanation of the vulnerability, we highly recommend reading the Secura blog.

Exploit Steps Overview  

Here is a summary of the exploitation steps:

  1. Establish an unsecure Netlogon channel against a domain controller by performing a brute-force attack using an 8 zero-bytes challenge and ciphertext, while spoofing the identity of that same domain controller. This would require an average of 256 attempts (given the probability of success being 1 in 256).
  2. Use the NetrServerPasswordSet2 call to set the domain controller account’s password, as stored in Active Directory, to an empty one. This breaks some of the domain controller functionality since the password stored in the domain controller’s registry does not change (this is the reason step four noted below is taken).
  3. Use the empty password to connect to that same domain controller and dump additional hashes using the Domain Replication Service (DRS) protocol.
  4. Revert the domain controller password to the original one as stored in the local registry to avoid detection.
  5. Use the hashes dumped from stage 3 to perform any desired attack such as Golden Ticket or Pass-The-Hash using domain administrator credentials.
ZeroLogon vulnerability

Figure 1 – Flow of ZeroLogon (CVE-20120-1472) Attack

There are various scripts online which can be used to detect and exploit this vulnerability, including:

Patch Details and Remaining Issues

Microsoft has applied two fixes to mitigate this attack. The first mitigation is to reject NetrServerAuthenticate3 requests in which the first five bytes are identical. Our analysis shows that this still allows for longer brute-force attacks (requiring an average of 2^32 attempts). The second mitigation is to reject Netlogon channels that are not signed/sealed for all Windows computer accounts. This will completely mitigate the attack even if brute-force is possible. Since, Windows Netlogon clients always seal Netlogon messages there shouldn’t be any problem. But, Microsoft took the conservative approach and still allowed unsigned Netlogon sessions for non-Windows computer accounts. This means that, in theory, non-Windows computer accounts are still vulnerable. Microsoft is planning an additional patch in February that will also reject insecure Netlogon sessions from non-Windows devices.

How to Protect Your Network

  1. Patch. Apply the relevant Microsoft patch as quickly as possible! 
  2. Proactively close patch gaps. Non-Windows machines are still somewhat unprotected from ZeroLogon. Search your network for non-Windows computer accounts with elevated privileges (e.g. domain replication privileges) as these could be used to launch a successful ZeroLogon attack even on patched domain controllers.
  3. If you cannot patch for any reason:
    1. An attacker exploiting the vulnerability effectively gets privileged access to a domain controller. Using this access, the attacker can harvest credentials and then perform one of the following attacks:
      • A Golden Ticket attack
      • A Pass-The-Hash attack
      • A Silver Ticket attack
      • To mitigate further damage, ensure you are monitoring your environment against such attacks:
    2. Enable multi-factor authentication (MFA) for all accounts or at least privileged accounts. In that case, even if a privileged account is compromised, the access attempt would still be denied.
    3. Monitor for possible exploitation attempts with the open-source tool released by Preempt.

How Preempt Can Help

  1. Preempt monitors the network and detects (and mitigates) various attacks such as Golden Ticket and Pass-The-Hash.
  2. Preempt can be used to apply any MFA you wish to use for any desired account, using a comprehensive policy engine. Any user with MFA enabled on the Preempt Platform will not be compromised even if the attacker was able to exploit ZeroLogon and steal the user account credentials from the DC.
  3. We will be releasing a detection specifically for any ZeroLogon exploitation attempt in the near future.
Topics: Active Directory, Attack Tools, Domain Controller, Hacking,

Posted by Preempt on September 18, 2020 12:38 PM

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More

Developer

What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More

Events

A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More

Research

10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More

Product

Brute Force Attacks: Denying the Attacker, Not the User

According tohaveIbeenpwned.com, close to 8 billion accounts have been compromised...

Read More