Shulou(Shulou.com)05/31 Report--

How to carry out CVE-2020-1472 vulnerability analysis, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Brief description of Netlogon privilege escalation vulnerability (CVE-2020-1472):

NetLogon remote protocol is a RPC interface used in Windows domain control, which is used for a variety of tasks related to user and machine authentication. It is most commonly used to allow users to log in to the server using the NTLM protocol, as well as for NTP response authentication and updating the computer domain password.

Microsoft MSRC issued a security announcement on Netlogon privilege escalation vulnerability on Aug. 11. The CVE number of this vulnerability is CVE-2020-1472 with a CVSS score of 10.0. Submitted by Tom Tervoort Discovery of Secura and named ZeroLogon.

Influence version number:

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

Vulnerability time:

2020-09-11

Brief description of the principle of the vulnerability:

A privilege escalation vulnerability exists when an attacker uses Netlogon remote Protocol (MS-NRPC) to establish a vulnerable Netlogon secure channel to connect to a domain controller. An attacker who successfully exploits this vulnerability can run specially designed applications on devices in the network.

To exploit this vulnerability, an unauthenticated attacker needs to connect MS-NRPC to a domain controller to gain domain administrator access.

Vulnerability principle:

The Netlogon remote protocol, in particular, can update passwords in the domain. The RPC interface assigns the port mapping service of the domain controller through the TCP dynamic port, or through SMB port 445.

The Netlogon protocol uses a custom encryption protocol to allow clients (computers joined to the domain) and servers (domain controllers) to prove encryption to each other, and this shared encryption is the HASH account password of the client computer. The Netlogon session is initiated by the client, so the client and the server first exchange 8 random bytes, both the client and the server encrypt the key derivative function, and then the client uses this session key to calculate the client credentials, and the server recalculates the same credential. If there is a match, the client must know the computer password, so the client must know the session key.

During the authentication handshake phase, both parties can negotiate whether to encrypt and encrypt authentication, and if encryption is disabled, all important operations must still contain the authentication value, which is also calculated with the session key.

Authentication phase

Both the client and the server use the encryption original sentence to generate credentials for ComputeLogOneCredential in the function, which is called the protocol specification. This function accepts 8 bytes of input and converts it through an encrypted session to produce key of equal length output, assuming that it does not know that the session key will not be able to calculate the correct output and a matching input. There are two versions of this function, based on 2DES and AES, depending on the flags set by the client during authentication, basically using AES. The AES block cipher needs to enter 16 bytes and replace it with output of the same size, and the mode of operation must encrypt larger or smaller inputs. In order to be selected, ComputeLogEncredential uses the fuzzy CFB8 (8-bit password) mode to convert only 8 bytes, which is about 16 times that of the normal mode.

AES-CFB8 encrypts each byte of plaintext by prefixing an initialization vector of 16 bytes, then applies AES to the first 16 bytes of IV+ plaintext, takes the first byte of AES output, and uses the next plaintext byte.

Encryption instructions for AES-CFB8 mode of operation

In order to be able to encrypt the session, you must specify the initialization vector (IV) to guide the encryption process, which must be unique and generate ciphertext encrypted with the same key for each individual random. However, the IV defined by the ComputeLogOnCreddential function is fixed and should be composed of 16 zero bytes, while AES-CFB8 requires IV to be random. Applying all-zero-byte plaintext to one of the 256keys will result in zero ciphertext.

Vulnerability exploitation:

1. Spoofing client credentials

After the NetrServerReqChallenge exchange challenge call, the client calls through NetrServerAuthenticate3, invokes ClientCredential through a parameter, and then sends the challenge in the previous request through the client that applies ComputeLogonIncredential. There are 256 keys, so how do you know which session uses one of them? Because the computer account is not locked after an invalid login, you can try several times until the accurate key and authentication are successful, and you only need to try 256 times.

two。 Disable encryption and encryption authentication

Although we bypass authentication, we don't know what the value of the session key is. There is a problem with Netlogon's transport encryption mechanism ("RPC encryption and encryption authentication"), which uses a completely different function, the ComputeLogEncredential function, but for us, authentication and encryption authentication are optional and only need to be called off NetrServerAuthenticate3. The default client will reject the connection when the server does not set this flag, but the server will not reject requests for unencrypted clients.

3. Spoofing request

Even if request encryption is disabled, each request still contains an authenticator value by applying the value ClientStoredCredential+ timestamp of the ComputeLogonIncredential (session key) function, ClientStoredCredential is an incremental value provided by the client that initializes the same value as ClientCredential when shaking hands. This client credential consists of only zero, so after the ClientStoredCredential of the first call is zero authentication, the timestamp should contain the current time and validator, but the server does not impose any restrictions, so the first call only needs to provide an all-zero validator and all-zero timestamp.

4. Change AD and password

Now we can send Netlogon requests to any client, but since the introduction of Active Directory, many account databases have been disabled and cannot be used to extract credentials, and there is also a call function that allows NetrSreverPasswordGet to obtain the computer password NTML Hash, but is encrypted with the session key, we can use the NetrServerPasswordSet2 call to set the new client computer password, not hash, but encrypted with the session key, continue to use all zeros.

The plaintext cryptographic structure in Netlogon protocol consists of 516 bytes, the last four bytes represent the length of the password, all bytes in the structure are not part of the password can be filled with any value, if we provide 516 zeros here, it will be decrypted to 516 zeros, that is, zero-length passwords, which means that you can become a computer in any domain. If you change the computer password, the target system itself will still store the original password locally, and the domain can no longer be authenticated and can only be resynchronized by manual operation (a denial of service vulnerability).

5. Raise the right to the administrator

We can change the password of the computer's time domain controller itself, even if we are connected to the same domain controller, where the DC password stored in AD is different from the password stored in the local registry HKLM\ SECURITY\ Policy\

Secrets\ $machine.ACC, but may cause unpredictable abnormal behavior in DC, but you can still log in. You only need to run Impacket's secretsdump script to make DC's password valid. This script will copy the DRS protocol by extracting all users' HASH from the domain, including the domain administrator HASH (including krbtgt, which can be used to make golden tickets), and then log in to DC to update the computer password registry to make the attacker a domain administrator.

Repair recommendations:

1. Update the Windows version and keep the Windows automatic update on, or you can upgrade manually by downloading the package in the link below.

two。 The mandatory mode of DC is turned on.

After reading the above, have you mastered the method of how to analyze CVE-2020-1472 vulnerabilities? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.