Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Hijacking a Domain Controller with Netlogon RPC aka Zerologon: CVE-2020-1472

On September 14th, researchers at security firm Secura published a white paper detailing a complete unauthenticated compromise of domain controllers by subverting the Netlogon cryptography. The vulnerability, dubbed “Zerologon” (CVE-2020-1472) is a privilege escalation bug with a CVSSv3 score of 10.0 and allows a remote attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) and take over Windows Servers running as Domain Controllers.

Vulnerability Details and Analysis

MS-NRPC is an RPC interface that is used exclusively by domain-joined devices. It includes an authentication method and a method of establishing a Netlogon secure channel. The vulnerability uses a weak cryptographic algorithm in Netlogon’s authentication process to allow full takeover of Active Directory domains. The flaw lies in Netlogon’s cryptographic implementation of AES-CFB8 encryption. An attacker can impersonate a DC account and replace it with all zeros. As per Secura’s white paper, for 1 in 256 keys, applying AES-CFB8 encryption to an all-zero plaintext will result in an all-zero ciphertext. By sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller.

Exploitation

Below are screenshots explaining the exploitation details listed in the white paper.

  1. Bypassing the authentication call

The client is authenticating itself by doing NetrServerAuthenticate3 call after the exchange of the challenges. This call has a parameter called ClientCredential, that was computed during the client challenge. Since the client challenge can be set to zeroes, it means that for 1 in 256 session keys, the correct ClientCredential will consist of 8 zeroes. With several tries, the correct key will be hit in an average of 256 tries, but in implementation it only takes a few seconds.

Image001Figure 1: Packet capture with several authentication attempts until response is not DENIED

  1. Disabling RPC signing and sealing

Even if the authentication call is bypassed, the real value of the session key would be unknown. Since Netlogon's transport encryption’s use of this key is optional, the client can disable the mechanism in the flag of the NetrServerAuthenticate3 call.

Image002Figure 2: Disable signing and sealing flag used in the POC code (Source: https://github.com/dirkjanm/CVE-2020-1472)

Image003
Figure 3: NetrServerAuthenticate3 packet with the flag set

  1. Computing the Authenticator value

Every call must contain an authenticator value which is computed by applying ComputeNetlogonCredential (with the session key) to the value ClientStoredCredential + Timestamp. The ClientStoredCredential is incrementing value starting from zero since client credential consists of zeroes. While the timestamp contains current Posix time, the server does not place any restriction on this value, and it can be set to zero.

  1. Changing computer's AD Password

Using the NetrServerPasswordSet2 call, a new password for the client can be encrypted with the session key using the AES-CFB8. Netlogon plaintext password consists of 516 bytes, the last four indicate the password length. By providing 516 zeroes, this will be decrypted to 516 zeros or an empty password. Changing the password this way only updates it in the AD.

Image004Figure 4: NetrServerPasswordSet2 request packet with empty password (516 zeroes)

  1. Changing Domain Admin Password

Using the previous steps to change the password of the domain controller, the DC password was changed in the AD, but not in the local registry. This only works when DC validates a login attempt with the password stored in AD. It was found that using Impacket's secretdump, the newly set DC password can be used to compromise the system.

Let’s look at the proof of concept in action.

Proof of Concept

Secura released a Python script to test the presence of the vulnerability. Multiple other PoCs are available on Github, all based on the Secura proof of concept. See 1, 2, 3, 4.

Image005Figure 5: Exploitation of the Vulnerability using: https://github.com/dirkjanm/CVE-2020-1472

Image006Figure 6: Using john the ripper to crack the nthash

After using the PoC code, nthash of the DC changed to 31d6cfe0d16ae931b73c59d7e0c089c0 which is an empty password when decrypted.

Impact

This is a very high impact and a severe vulnerability allowing a local attacker to completely compromise the Windows domain. Exploitation by advanced threat actors is highly possible and this vulnerability offers ransomware groups to attack organizations with network-accessible hosts.

How to protect your systems?

Microsoft is addressing the vulnerability in a phased two-part rollout. The initial phase started with the August 11th, 2020 Patch Tuesday update. Customers who have applied August 2020 Patch Tuesday Security updates are protected against Zerologon attacks. The patch fixes the problem by enforcing the Secure Netlogon Remote Protocol for all Windows servers and clients in the domain. We urge organizations that have not applied the August 2020 Patch Tuesday updates, to patch CVE-2020-1472 immediately. Phase 2, planned for the first quarter of 20201, will be an enforcement phase. Microsoft has also provided guidance on deploying Domain Controller enforcement mode at https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#EnforcementMode.

Detection Guidance

Trustwave’s Security Testing Services customers can detect this vulnerability via authenticated scans.

References

https://www.secura.com/pathtoimg.php?id=2055
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More