Windows Privilege Escalation: sAMAccountName Spoofing
This post discusses how CVE-2021-42278 allows potential attackers to gain high privileged user access (domain controllers Administrator level access) via a low privileged user (any normal Domain user)
Description: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.
Release Date: Nov 9, 2021
Impact: Elevation of Privilege
CVSS score: 8.8
Pentest Lab setup
In the lab, we’ll use a Kali VM as the attacker machine and a Windows domain controller (affected Windows platforms are listed above in the article) that hasn’t been patched since November 9, 2021, as the victim/target machine.
Now, as you can see, a user with normal domain user privileges has been created in the test Domain Controller lab setup.
The below command can be run on the Domain Controller to check user details, and as you can see, the user is a normal domain user (highlighted in red).
net user sakshi
Now on your attacker system, which is Kali VM, you have to clone the exploit from the git repository provided below.
git clone https://github.com/Ridter/noPac
After cloning the repo https://github.com/Ridter/noPac, navigate to the noPac folder
cd noPac ls -al
And then execute the command
python3 noPac.py ignite.local/sakshi:'Password@1' -dc-ip 192.168.1.182 -shell --impersonate administrator -use-ldap
This CVE is a security bypass vulnerability that is caused by Kerberos’s PAC confusion and impersonation of domain controllers.
It allows potential attackers to impersonate domain controllers by requesting TGT’s from Kerberos without a PAC, and the moment TGT is issued without issuing PACs, the attacker can impersonate as a highly privileged user.
Now, to get a DC to add a PAC when a service ticket (ST) was requested using a TGT without a PAC was achieved by configuring the “altSecurityIdentities“ attribute.
This process involves modifying the altSecurityIdentities attribute of an account in a foreign domain to Kerberos:[samaccountname]@[domain] to impersonate that user.
As you can see when the above command is executed, the output shows that the attacker machine (Kali VM) has acquired “NT AUTHORITY\System” privileges.
KB5008602 – https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7
KB5008380 – https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Author details: Amit Kishor is having 10 plus years of Network Security experience with expertise on multiple Firewall products as well as SaaS products. Can be contacted on LinkedIn