Categories

Archives

Red Teaming

Windows Privilege Escalation: sAMAccountName Spoofing

This post discusses how CVE-2021-42278 allows potential attackers to gain high privileged user access (domain controllers Administrator level access) via a low privileged user (any normal Domain user)

Description: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.

Release Date: Nov 9, 2021

Impact: Elevation of Privilege

Severity: Important

CVSS score: 8.8

Pentest Lab setup

In the lab, we’ll use a Kali VM as the attacker machine and a Windows domain controller (affected Windows platforms are listed above in the article) that hasn’t been patched since November 9, 2021, as the victim/target machine.

Now, as you can see, a user with normal domain user privileges has been created in the test Domain Controller lab setup.

The below command can be run on the Domain Controller to check user details, and as you can see, the user is a normal domain user (highlighted in red).

net user sakshi

Exploitation

Now on your attacker system, which is Kali VM, you have to clone the exploit from the git repository provided below.

git clone https://github.com/Ridter/noPac

After cloning the repo https://github.com/Ridter/noPac, navigate to the noPac folder

cd noPac
ls -al

And then execute the command

python3 noPac.py ignite.local/sakshi:'Password@1' -dc-ip 192.168.1.182 -shell --impersonate administrator -use-ldap

This CVE is a security bypass vulnerability that is caused by Kerberos’s PAC confusion and impersonation of domain controllers.

It allows potential attackers to impersonate domain controllers by requesting TGT’s from Kerberos without a PAC, and the moment TGT is issued without issuing PACs, the attacker can impersonate as a highly privileged user.

Now, to get a DC to add a PAC when a service ticket (ST) was requested using a TGT without a PAC was achieved by configuring the  altSecurityIdentities attribute.

This process involves modifying the altSecurityIdentities attribute of an account in a foreign domain to Kerberos:[samaccountname]@[domain] to impersonate that user.

As you can see when the above command is executed, the output shows that the attacker machine (Kali VM) has acquired “NT AUTHORITY\System” privileges.

Mitigation

KB5008602 – https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7

KB5008380 – https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

References:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42287

Author details: Amit Kishor is having 10 plus years of Network Security experience with expertise on multiple Firewall products as well as SaaS products.  Can be contacted on LinkedIn