In this article, we will walk through this vulnerability, understand the problem, consider how it could be explored and present a scenario used by attackers to compromise several companies before they apply the fix from Microsoft. Some prevention measures are also provided in order to mitigate this flaw at the end of the article.

How the Zerologon flaw was discovered

This vulnerability was announced in September 2020 by Tom Tervoort, a researcher from the Secura firm. Microsoft patches the flaw in August 2020, but several companies remained vulnerable for the next few months. Tervoort was initially finding other kinds of vectors, such as a person in-the-middle, a vulnerability also tracked as CVE-2020-1424. Continuing his research, it found the Zerologon flaw. An attacker who successfully exploited the vulnerability could run a specially crafted payload and get a remote code execution condiction. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

Digging into the details

By abusing this vulnerability, a hacker could take control of a vulnerable domain controller, including the root server. This condition is achieved by exploring a cryptographic flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC). The attack is possible by taking advantage of the incorrect use of an AES mode of operating during the cryptographic process to spoof the identity of any computer account, including the DC itself, and thus setting an empty password for that account locally. In order to exploit this vulnerability, attackers must be able to set up a TCP connection with the DC server from the internal network or even exploiting a webserver online, compromising it and breaking the barriers of a potential DMZ misconfigured (a scenario exploited in the wild by criminals and presented towards the end of the article). The exploitation of this flaw consists of sending a large number of auth requests to the Domain Controller server via the NetLogon protocol. The service uses an AES-CFB8 with a fixed IV of 16 bytes of zeros, as stated and discovered by Tervoort. It’s expected that one of every 256 keys used will create a ciphertext that has a value of all zeros. This is a short keyspace for a brute-force attack and “crackable” in two to five seconds. In addition, the exploit includes the utilization of a newly acquired connection in order to reset the password to a blank value, and then perform privilege escalation to domain admin.

As described above, the problem here is related to the inefficient implementation of a cryptographic algorithm. The AES-CFB8 relies on the IV (initialization vector) to choose a random number. By default, this vector is defined in the Netlogon RPC to be 0. Once in, 256 attempts on average, the server will generate a random key which after encryption in AES-CFB8 will generate a zero byte to XOR with. Digging into the principal details of this flaw, the Call NetrServerReqChallenge in Netlogon Remote Protocol uses a NetrServerAuthenticate3 call that receives a parameter named ClientCredential (see figure below for more details).

ClientCredential is handed to the call by the input in NetrServerReqChallenge. This value may contain any value given to it (in the form of 8 bytes). So, an attacker can use the value 0 (8 times) and, if several requests were sent, he will obtain an iteration in which the AES IV is also 0 and NetrServerAuthenticate3 will succeed. From this point, and by overriding those bytes with more zeroes, the machine password is set to be empty, providing domain privileges to the attacker. The proof-of-concept (POC) and exploit were published on GitHub and can be used to check and exploit vulnerable domain controllers. Because of this and other vulnerabilities used to jump into internal infrastructures, criminals exploited this vector in the wild during the last few months.

From scratch to domain admin: The scenario exploited by criminals

This vulnerability was exploited in the wild when the exploit was shared online. Many threat groups used it to access and compromise companies around the world. “This vulnerability would allow a malicious agent with a foothold on your internal network to essentially become Domain Admin with just one click. This scenario is possible when communication with the Domain Controller can be performed from the attacker’s viewpoint”, writes Segurança Informática.

As shown, the communication with the internal network and domain controllers can only be made on via the intranet, but many networks have weak policies and bad architecture based on network segregation and segmentation, which allows, for example, that web servers (located at the DMZ) can also communicate internally. Thus, in order to jump into the internal network, criminals exploited many possible attack vectors, including the usage of leaked credentials to get a valid connection via VPN or even exploit other CVEs such as CVE-2020-25213. Criminals take advantage of a vulnerability in the File Manager plugin from WordPress CMS that allowed the execution of arbitrary code on the server-side. According to WordFence, on September 4th, 2020, were recorded attacks on over 1.7 million sites. By September 20th, the total number of sites attacked had increased to over 2.6 million. Meanwhile, the CVE-2020-25213 that affects the WP-Manager WordPress plugin continues to be exploited by criminals. The exploit was published on Twitter in September, a few days after the Zerologon exploit.

According to the security researcher, “I’ve sent a writeup and POC for the vulnerable plugin for the project author but didn’t get any response, and my private post was deleted. http://elFinder.py issue is a common vulnerability with so many scripts on the internet… my script only changes to ‘wp-content’ path“.

According to the analysis of SI-LAB, this flaw was used to abuse various scenarios, including the Zerologon exploitation. In other, more specific cases, it was also noted that some threat actors used this vulnerability to leverage the Zerologon vulnerability. After the initial foothold and when poor network segmentation is present, a lateral movement on the network based on a pivot attack is possible. By using an entry machine to make available a simple website on the internet, criminals used the WordPress plugin to reach the internal network as in many cases, no network segmentation/segregation implementation was found. Bellow, the execution of the Zerologon and domain NTLM hashes extraction process.

Notice that breaking a domain controller is like breaking a computer network. After exploiting a DC, the machine password is set to empty. In detail, this NTML hash is used for synchronization between domain controllers in the same network. If the password is changed without notifying the other DCs, they will not communicate and synchronize. So, even during Red Teaming assessments, it’s crucial to dump the registry hives after exploiting the domain controller and restoring the original password as soon as possible to prevent a potential breakdown.

Final thoughts

Getting domain admin rights over an entire network allows an attacker to access any asset and exfiltrate sensitive and critical data, steal banking information and even compromise intellectual property. After that, ransomware attacks are also carried out by criminals using those privileges to make the attack devastating to the target organizations. In order to mitigate this problem, Microsoft released a security patch in August 2020. This update is the first of a two-part update (part two is expected to be released on February 2nd, 2021) and provides the following changes to the NetLogon Protocol:

Enforces secure RPC usage for machine accounts on Windows-based devices Enforces secure RPC usage for trust accounts Enforces secure RPC usage for all Windows and non-Windows DCs Includes a new group policy to allow noncompliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the enforcement phase starts, allowed devices will not be refused connection FullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts (enforcement phase will update DCs to DC enforcement mode) Includes new events when accounts are denied or would be denied in the DC enforcement mode (and will continue in the enforcement phase)

See below:

Sources

What is zerologon?, Trendmicro msft-kb4565351-4274f60c-bfeb-463c-9754-001689926626 msft-kb4565351-79b74e87-e7f9-446e-a595-b7e944725115 msft-kb4566782-912b8b41-c59a-4078-bfbf-fb69a4d8c0b3 msft-kb4571694-cf7a53b4-c18c-4c38-b4ef-711043f4d178 msft-kb4571702-6737e598-09c1-4e5f-8d0f-fdf867035c34 msft-kb4571719-a8e134c1-b2bf-4b38-9bdf-300153658fc6 msft-kb4571723-218e6900-fb95-4be6-be8d-a246fbf73ad7 Zerologon vulnerability, Microsoft Zerolgon exploitation, Segurança-Informática Zerologon white paper, Secura