Zerologon…Way More 1337 than Zero Cool
When a vulnerability hits 10 out of 10 on the Common Vulnerability Scoring System (CVSS), people pay attention and so should you. CVE-2020-1472 did just that–it hit a 10 and is dubbed the “perfect” exploit by Tara Seals, author at ThreatPost.com. While this exploit requires network access to already be established, it allows an attacker to obtain the “keys to the kingdom,” a.k.a. Domain Admin. With domain admin credentials, an attacker can do pretty much whatever they want on that domain: create new accounts, delete accounts, turn off security services, crawl through the network and pilfer pretty much any and all data that is under the purview of that domain.
A whitepaper authored by Tom Tervoort (found here) provides a full walkthrough of how the vulnerability was found and how it can potentially be exploited. Thanks to some really smart people, Proof-of-Concept (POC) code can be found here on GitHub.
It really comes down to this, a specific function, ComputeNetlogonCredential, that exists in Microsoft’s Netlogon process that has a flaw. Microsoft Netlogon uses the encryption scheme AES-CFB8, however instead of requiring a random 16 bit Initialization Vector (IV), those 16 bits can be fixed, allowing an attacker to control the plaintext fed to the encryption scheme, and in turn controlling the ciphertext. In this case, feed AES-CFB8 all 0s in plaintext and you get all 0s in ciphertext. This defeats the purpose of an encryption algorithm and is at the heart of this flaw.
The lesson to be learned here is that even when you’re doing everything right, robust perimeter defenses, network and host-based intrusion systems in place, patching and even SOAR (if you remember my previous article) implemented, all it takes is a “plumber” to come along and slip a thumb-drive into the network and boom, all your base are belong to us. This exploit isn’t just another privilege escalation, it’s the ultimate privesc. An attacker already in the network that can’t seem to crack the dumped hashes they pilfered from your workstation need look no further, Zerologon to the rescue. No need to crack your “ThereIsNoSpoon” password, just run a quick script an boom, IDDQD. (hint: port 666)
So what can we do as defenders of a network? Anomaly detection, for one. Has a new account been created at an odd time, say midnight when no one should be there? Has a massive amount of data started walking out the front door when the network is typically quiet? Looking for these subtle changes can help detect the bad when you’ve done everything right. Don’t just rely on the alerts from our robot overlords, dig into the data and look for the oddities. After all, that’s how one of the most notorious worms ever developed was found…Conficker.