Wednesday, November 25, 2020
Home Science New Windows exploit lets you instantly become admin. Have you patched? -...

New Windows exploit lets you instantly become admin. Have you patched? – Ars Technica


Zerologon lets anyone with a network toehold obtain domain-controller password.

A casually dressed man smiles next to exposed computer components.

Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization’s crown jewels—the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.

CVE-2020-1472, as the vulnerability is tracked, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network, either as an unprivileged insider or through the compromise of a connected device.

An “insane” bug with “huge impact”

Such post-compromise exploits have become increasingly valuable to attackers pushing ransomware or espionage spyware. Tricking employees to click on malicious links and attachments in email is relatively easy. Using those compromised computers to pivot to more valuable resources can be much harder.

It can sometimes take weeks or months to escalate low-level privileges to those needed to install malware or execute commands. Enter Zerologon, an exploit developed by researchers from security firm Secura. It allows attackers to instantly gain control of the Active Directory. From there, they will have free rein to do just about anything they want, from adding new computers to the network to infecting each one with malware of their choice.

“This attack has a huge impact,” researchers with Secura wrote in a white paper published on Friday. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”

The Secura researchers, who discovered the vulnerability and reported it to Microsoft, said they developed an exploit that works reliably, but given the risk, they aren’t releasing it until they’re confident Microsoft’s patch has been widely installed on vulnerable servers. The researchers, however, warned that it’s not hard to use Microsoft’s patch to work backwards and develop an exploit. Meanwhile, separate researchers other security firms have published their own proofs-of-concept attack code here, here, and here.

The release and description of exploit code quickly caught the attention of the US Cybersecurity and Infrastructure Security Agency, which works to improve cybersecurity across all levels of government. Twitter on Monday was also blowing up with comments remarking on the threat posed by the vulnerability.

“Zerologon (CVE-2020-1472), the most insane vulnerability ever!” one Windows user wrote. “Domain Admin privileges immediately from unauthenticated network access to DC.”

“Remember something about least privileged access and that it doesn’t matter if few boxes gets pwned?” Zuk Avraham, a researcher who is founder and CEO of security firm ZecOps, wrote. “Oh well… CVE-2020-1472 / #Zerologon is basically going to change your mind.”

We can’t just ignore attackers when they don’t cause damage. We can’t just wipe computers with malware / issues without looking into the problems first. We can’t just restore an image without checking which other assets are infected / how the malware got in.

— Zuk (@ihackbanme) September 14, 2020

Keys to the kingdom

Zerologon works by sending a string of zeros in a series of messages that use the Netlogon protocol, which Windows servers rely on for a variety of tasks, including allowing end users to log in to a network. People with no authentication can use the exploit to gain domain administrative credentials, as long as the attackers have the ability to establish TCP connections with a vulnerable domain controller.

The vulnerability stems from the Windows implementation of AES-CFB8, or the use of the AES cryptography protocol with cipher feedback to encrypt and validate authentication messages as they traverse the internal network.

For AES-CFB8 to work properly, so-called initialization vectors must be unique and randomly generated with each message. Windows failed to observe this requirement. Zerologon exploits this omission by sending Netlogon messages that include zeros in various carefully chosen fields. The Secura writeup gives a deep dive on the cause of the vulnerability and the five-step approach to exploiting it.

In a statement, Microsoft wrote: “A security update was released in August 2020. Customers who apply the update, or have automatic updates enabled, will be protected.”

As alluded in some of the Twitter remarks, some naysayers are likely to downplay the severity by saying that, any time attackers gain a toehold in a network, it’s already game over.

That argument is at odds with the defense-in-depth principle, which advocates for creating multiple layers of defense that anticipate successful breaches and create redundancies to mitigate them.

Administrators are understandably cautious about installing updates that affect network components as sensitive as domain controllers. In the case here, there may be more risk in not installing than installing sooner than one might like. Organizations with vulnerable servers should muster whatever resources they need to make sure this patch is installed sooner rather than later.

Read More



Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Ryder Cup 2010

McDowell knew the Twenty Ten course like the back of his hand. He’d won the Wales Open on the course that year and during a period when he lived in Cardiff he used the venue as his practice area.As the match descended into the home stretch McDowell sunk a 15-foot birdie to go 2-up on…

GB’s Evans calls opponents ’embarrassing’

Evans was knocked out in the singles in the first round by Kei Nishikori of JapanBritain's Dan Evans said his doubles opponents were "embarrassing" after becoming involved in an on-court row at the French Open.The British singles number one and Polish partner Hubert Hurkacz beat Dutchman Matwe Middelkoop and Brazilian Marcel Demoliner in the first…

US team walks off after ‘homophobic slur’

Collin Martin (pictured playing for former club Minnesota United) came out as gay in 2018Landon Donovan said his San Diego Loyal "would not stand" for bigotry having left the pitch in protest after an alleged homophobic comment was aimed at openly gay midfielder Collin Martin.An opposition player from Phoenix Rising was accused of making the…

As colleges reopened, many more young people got covid-19, CDC reports – msnNOW

Covid-19 cases surged nationally among 18- to 22-year-olds between Aug. 2 and Sept. 5, according to a report released Tuesday by the Centers for Disease Control and Prevention, which urged young adults as well as colleges and universities to take precautions to prevent the spread of the virus.Weekly cases among the age group jumped 55…