A critical and interesting vulnerability in the Netlogon Remote Protocol of the Windows server was patched by Microsoft team last month. This flaw discovered by the Cybersecurity firm Secura (dubbed as Zerologon), has received the highest severity score of 10.0. The vulnerability is identified as CVE-2020-1472 and allows an attacker to successfully compromise the vulnerable Domain controller by just setting up a TCP connection with it. This vulnerability is treated as severe because even an unauthenticated attacker can gain the Domain Admin privileges by using the domain controller credentials.
The Netlogon Remote Protocol is an RPC interface available on Windows domain controllers which is basically used to facilitate the authentication between users and machines, especially to the users logging in to the servers using NTLM protocol. This protocol also allows various functionalities, and notably a computer within the domain to update its password. NRP protocol is treated as unique since it uses a customized cryptographic protocol to prove client and server authenticity, i.e by knowing a shared secret key. This shared secret key is a hash of the client’s computer account password.
As we all know, authentication attempts are sensitive and hence all the authentication requests take place over an encrypted connection. But the Secura researcher discovered that the domain controllers can be forced to fall back to unencrypted RPC communication when performing authentication requests. After falling back to an unencrypted communication, a flaw in the Netlogon AES-CFB8 cryptographic negotiation algorithm can be used to try and steal the credential.
The image here shows that if an attacker is successful in making the communication happen in an unencrypted mode after the TCP handshake is set up, he can later spoof the response message obtained by the Domain Controller to trick the target machine to assume the login is successful.
Image Credit: Secura
Netlogon AES-CFB8 cryptographic negotiation algorithm flaw:
When encrypting a message consisting only of zeroes, with an all-zero Initialisation Vector(IV), there is a 1 in 256 chance that the output will also contain only zeroes.
A PoC is also published to exploit this vulnerability. As you can see below, this is the part of the exploit function in POC. Here the flaw in the AES-CFB8 algorithm is used to know the Client Credential. When the plaintext and ciphertext are set to 8 zeros, for 1 in 256 session keys, the correct Client Credential will also consist of 8 zeroes.
plaintext = b'\x00' * 8 ciphertext = b'\x00' * 8 try: server_auth = nrpc.hNetrServerAuthenticate3( rpc_con, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, target_computer + '\x00', ciphertext, flags ) assert server_auth['ErrorCode'] == 0
Here when assert server_auth[‘ErrorCode’] value becomes zero, we assume our plaintext value is the right one and hence the client credential can be obtained. Further, the attacker can make use of NetrServerPasswordSet2 function to update the password to the desired value. Similarly, any computer in the domain can be compromised including admin.
An attacker who successfully exploited the vulnerability can take over the domain controller and run a specially crafted application on any device on the network.
All Microsoft Windows Servers that use MS-NRPC to connect to a domain controller except server 2008 are affected.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2008 R2 Service Pack 1
Microsoft has released a security fix in its monthly Patch Tuesday updates for August 2020.
SanerNow security content has been published to detect and mitigate these vulnerabilities. We strongly recommend applying the security updates as soon as possible following the instructions published in our support article.