Home / Trends / The new Windows exploit allows you to become an administrator immediately. Did you patch

The new Windows exploit allows you to become an administrator immediately. Did you patch

A casually dressed man smiles next to exposed computer components.

Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that gives access to a company’s crown jewels – Active Directory domain controllers, which act as a powerful gatekeeper for all networked computers.


472 has a Critical Severity Level from Microsoft for tracking the vulnerability and a maximum of 10 under the Common Vulnerability Scoring System. Exploits require an attacker to gain a foothold in a target network, either as an unprivileged insider or through the compromise of a connected device.

A “crazy” bug with a “big impact”

Such compromise exploits have become increasingly valuable to attackers using ransomware or espionage spyware. It is relatively easy to get employees to click malicious links and attachments in email. Using these compromised computers to pivot to more valuable resources can be much more difficult.

It can sometimes take weeks or months for low-level permissions to be extended to those necessary to install malware or execute commands. Enter Zerologon, an exploit developed by researchers at the security company Secura. This allows attackers to take control of the Active Directory immediately. From there, they can do just about anything from adding new computers to the network to infecting each one with malware of their choice.

“This attack is having a huge impact,” Secura researchers wrote in a white paper published Friday. “In principle, any attacker in the local network (e.g. a malicious insider or someone who has simply connected a device to a local network port) can completely endanger the Windows domain. The attack is totally unauthenticated: the attacker does not need any user credentials. “

The Secura researchers who discovered the vulnerability and reported it to Microsoft said they had developed an exploit that worked reliably. However, given the risk, do not release it until you are certain that the Microsoft patch is widespread on vulnerable servers. However, the researchers warned that it would not be difficult to use the Microsoft patch to work backwards and develop an exploit. Meanwhile, separate researchers from other security firms have posted their own proof-of-concept attack code here, here, and here.

The publication and description of exploit code quickly caught the attention of the US agency for cybersecurity and infrastructure security, which works to improve cybersecurity at all levels of government. Twitter on Monday also exploded with comments highlighting the threat posed by the vulnerability.

“Zerologon (CVE-2020-1472), the craziest vulnerability ever!” A Windows user wrote. “Immediate domain administrator rights through unauthenticated network access to DC.”

“Remember something about Least Privileged Access and that it doesn’t matter if a few boxes are pwned?” Zuk Avraham, a researcher who is the founder and CEO of security company ZecOps, wrote. “Well … CVE-2020-1472 / #Zerologon will basically change your mind.”

Key to the kingdom

Zerologon sends a series of zeros in a series of messages using the Netlogon protocol that Windows servers rely on for a variety of tasks, including allowing end users to log on to a network. People who are not authenticated could use the exploit to obtain administrative credentials for domains, provided the attackers can establish TCP connections with a vulnerable domain controller.

The vulnerability arises from the Windows implementation of AES-CFB8 or the use of the AES cryptographic protocol with encryption feedback to encrypt and validate authentication messages as they traverse the internal network.

In order for AES-CFB8 to work properly, so-called initialization vectors must be unique and generated randomly with each message. Windows did not meet this requirement. Zerologon takes advantage of this loophole by sending Netlogon messages that contain zeros in various carefully selected fields. The Secura description provides an in-depth look at the source of the vulnerability and the five step approach to exploiting it.

In a statement, Microsoft wrote: “A security update was released in August 2020. Customers who apply the update or have automatic updates enabled will be protected.”

As suggested in some Twitter comments, some naysayers are likely to downplay the severity by saying that every time attackers on a network win a budget, the game is over.

This argument runs counter to the principle of defense in depth, which advocates the creation of multiple layers of defense that anticipate successful violations and create redundancies to mitigate them.

Administrators are understandably cautious about installing updates that affect network components as sensitive as domain controllers. In this case, you may be at greater risk if you don’t install than if you install earlier than you want. Organizations with vulnerable servers should find all the resources they need to ensure this patch is applied sooner rather than later.

Source link