Zerologon: Instantly become domain admin by subverting Netlogon cryptography
Weblog post 11 September 2020, by Tom Tervoort, Senior Safety Specialist and Ralph Moonen, Technical Director at Secura
Final month, Microsoft patched a in actuality keen vulnerability that could well well allow an attacker with a foothold for your internal network to genuinely change into Domain Admin with one click. All that is required is for a connection to the Domain Controller to be likely from the attacker’s perspective.
Secura’s security knowledgeable Tom Tervoort beforehand found a much less extreme Netlogon vulnerability final year that allowed workstations to be taken over, but the attacker required a Individual-in-the-Center (PitM) internet site for that to work. Now, he found this 2d, distinguished extra extreme (CVSS pick up: 10.0) vulnerability in the protocol. By forging an authentication token for particular Netlogon functionality, he used to be ready to call a feature to position of dwelling the computer password of the Domain Controller to a identified worth. After that, the attacker can exercise this new password to amass regulate over the domain controller and comprise credentials of a domain admin.
The vulnerability stems from a flaw in a cryptographic authentication plan dilapidated by the Netlogon Distant Protocol, which amongst other issues could well well also be dilapidated to update computer passwords. This flaw enables attackers to impersonate any computer, in conjunction with the domain controller itself, and close distant arrangement calls on their behalf.
Secura urges all people to set up the patch on all their domain controllers as like a flash as likely. Please consult with Microsoft’s advisory. We published a test tool on Github, which that it is advisable to well download here: https://github.com/SecuraBV/CVE-2020-1472 that could well well uncover you whether a domain controller is vulnerable or now not.
Have to that it is advisable to well perchance very effectively be captivated with the technical details on the again of this handsome recent vulnerability and the arrangement in which it used to be found, download the whitepaper here.