, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a () fixed in August 2020.
This vulnerability was discovered by secure security researcher on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8) that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC.
ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.
The following diagram is the authentication handshake process of MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8.
Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number, but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256. It can easy to pass the step 4 validation.
The attack details can be referenced to the by Tom Tervoor
Exploitation Demo
Target Environment
Host Name: FKCLAI-WIN2016
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
Domain: FKCLAI.local
Logon Server: \\FKCLAI-WIN2016