{"id":17992,"date":"2022-02-02T10:18:53","date_gmt":"2022-02-02T18:18:53","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11725\/"},"modified":"2022-02-02T10:18:53","modified_gmt":"2022-02-02T18:18:53","slug":"news-11725","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11725\/","title":{"rendered":"From User to Domain Admin in (less than) 60 seconds: CVE-2021-42278\/CVE-2021-42287"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Threat\u00a0Research Report<\/h2>\n<p><b>Affected Platforms:<\/b> Windows<br \/> <b>Impacted Users: <\/b>Any organization with an Active Directory environment<br \/> <b>Impact: <\/b>Unprivileged user can escalate privileges to domain administrator<br \/> <b>Severity Level: <\/b>Critical<br \/> \u00a0<\/p>\n<p>On Patch Tuesday of last November, Microsoft released advisories to address several vulnerabilities in Active-Directory. Analysis of these vulnerabilities showed that by combining CVE-2021-42278 and CVE-2021-42287 it is possible, under default conditions, for a regular user to easily impersonate a domain admin. This means that any domain user can effectively become a domain administrator, which makes these vulnerabilities extremely severe. Moreover, there are already several Github repositories with free-to-use PoC code that facilitates the exploitation of these vulnerabilities.<\/p>\n<p>In this post, we will describe how the exploitation of these vulnerabilities works and show how the attack is mitigated by FortiEDR.<\/p>\n<h2>CVE-2021-42278 &#8211; Invalid Computer Account Name<\/h2>\n<p>Computer account names in Active Directory environments should always end with \u201c$\u201d, however, this is not enforced correctly. The computer account name attribute is \u201csAMAccountName\u201d. It is possible to see and edit the this attribute manually using the ADSIEdit Tool, as can be seen in Figure 1.\u00a0 <\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds\/_jcr_content\/root\/responsivegrid\/image.img.png\/1641341664652\/img1.png\" alt=\"Figure 1: Editing computer account name attribute using ADSIEdit\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Editing computer account name attribute using ADSIEdit<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>On vulnerable machines it is possible to rename it to a domain controller account name, which is a key step in the exploitation chain.<\/p>\n<h2>Security Principal Name<\/h2>\n<p>A security principal name (SPN) is the name that identifies an authenticated entity\u2014for example, machinename$@domainname. <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/ad\/service-principal-names#:~:text=A%20service%20principal%20name%20(SPN,with%20a%20service%20logon%20account.&amp;text=The%20installer%20then%20composes%20the,in%20Active%20Directory%20Domain%20Services.\" target=\"_blank\">SPN<\/a>s are used by Kerberos as part of the authentication procedures of various entities. It is basically a unique identifier of a service instance and used by Kerberos authentication to associate a service instance with a service logon account.<\/p>\n<p>This may pose a problem when trying to rename a computer account to a domain controller account because changing the samAccountName attribute will trigger a respective change to the SPN of the account. The attempt to change it will fail because an SPN with this name already exists. To overcome this, it is possible to clear the machine \u201cservicePrincipalName\u201d attribute. As a result, privilege to edit the \u201cservicePrincipalName\u201d attribute is also required to exploit this vulnerability.<\/p>\n<h2>CVE-2021-42287 &#8211; Kerberos Key Distribution Center Confusion<\/h2>\n<p>The Kerberos Key Distribution Center (KDC) is a service of Active Directory that handles Kerberos ticket requests. A Ticket-Granting Ticket, or TGT, is a special type of ticket that can be used to obtain other tickets. TGT is used to request access tokens from the Ticket Granting Service (TGS) for specific resources\/systems in the domain. When a request for a service ticket is sent and it is not found, the KDC will automatically lookup the requested ticket appended with \u201c$\u201d.<\/p>\n<p> S4U2self, or Service for User to Self, is an extension that allows a service to obtain a Kerberos service ticket for itself. The service ticket contains the user&#8217;s groups and can therefore be used in authorization decisions. All Active Directory terms and full explanations can be found <a href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-sfu\/4a624fb5-a078-4d30-8ad1-e9ab71e0bc47#gt_2214804a-4a44-46f4-b6d2-a78f4ff39a39\" target=\"_blank\">here<\/a>.<\/p>\n<p>The vulnerability can be triggered in a scenario where a user obtains a TGT, the user gets removed, and the previously obtained TGT is used to request a service ticket for another user for themselves\u2014basically, S4U2self. In this case, the user will not be found and a lookup for the user with appended \u201c$\u201d will be executed. And if a domain controller account with the name exists, a service ticket will be granted to the requesting user, making the requesting user a domain administrator.<\/p>\n<h2>Combining the Vulnerabilities<\/h2>\n<p>To exploit this issue, an attacker needs the ability to control a computer account. As mentioned, the attacker needs to be able to modify both the \u201cservicePrincipalName\u201d attribute and \u201csAMAccountName\u201d attribute. The simplest way to achieve this is to create one. The default configuration in a domain allows an unprivileged user to create up to 10 computer accounts. This is controlled by the MachineAccountQuota attribute.<\/p>\n<p>In summary, the steps to exploit these vulnerabilities to gain domain-administrator privileges are as follows:<\/p>\n<p style=\"margin-left: 40.0px;\">1. Enumerate the Active-Directory to find a domain administrator account.<br \/> 2. Create a new computer account with cleared \u201cservicePrincipalName\u201d.<br \/> 3. Leverage CVE-2021-42278 to modify the \u201csAMAccountName\u201d to the domain administrator account name.<br \/> 4. Get a TGT of the computer account.<br \/> 5. Restore the computer account name so it will not be found when the KDC looks for it.<br \/> 6. Leverage CVE-2021-42287 using the obtained TGT to request a service ticket with S4U2Self. <\/p>\n<p>Implementation of the exploit can be found <a href=\"https:\/\/github.com\/WazeHell\/sam-the-admin\" target=\"_blank\">here<\/a>. Figure 2, below, shows the execution of the exploit code against a vulnerable server:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds\/_jcr_content\/root\/responsivegrid\/image_282776045.img.png\/1641341842449\/img2.png\" alt=\"Figure 2: Exploitation of CVE-2021-42278 \/ CVE-2021-42287 vulnerabilities\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Exploitation of CVE-2021-42278 \/ CVE-2021-42287 vulnerabilities<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Protecting Against Exploitation<br \/> <\/h2>\n<p>The combination of CVE-2021-42278 and CVE-2021-42287 vulnerabilities enables unprivileged users to easily become domain administrators. As a result, we urge organizations to apply Microsoft patches <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041\" target=\"_blank\">KB5008380<\/a> and <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7\" target=\"_blank\">KB5008602<\/a> as soon as possible to mitigate the issue.<\/p>\n<p>FortiEDR is able to detect and block exploitation attempts of CVE-2021-42278 and CVE-2021-42287 vulnerabilities. Moreover, it is also capable of tracing the source of the attack:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds\/_jcr_content\/root\/responsivegrid\/image_226981654.img.png\/1641342033648\/img3.png\" alt=\"Figure 3: Attempt to exploit the vulnerabilities from a workstation in the domain\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Attempt to exploit the vulnerabilities from a workstation in the domain<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>FortiGuard IPS protects against these exploits with the following signature:<\/p>\n<p style=\"margin-left: 80.0px;\">MS.Active.Directory.SAM.Privilege.Escalation<\/p>\n<p>These exploits are detected and prevented in\u00a0FortiGuard IPS DB 19.228 (FortiGate, FortiADC, FortiProxy) and FortiEDR 5.0.\u00a0 Please ensure your devices have downloaded the latest protections.<\/p>\n<p>For more detail and information on threat hunting across the Fortinet Security Fabric, please see the\u00a0<a href=\"https:\/\/www.fortiguard.com\/outbreak-alert\/ad-privilege-escalation\" title=\"https:\/\/www.fortiguard.com\/outbreak-alert\/ad-privilege-escalation\">FortiGuard Outbreak Alert<\/a>.<\/p>\n<h2>Appendix<\/h2>\n<ul>\n<li><a href=\"https:\/\/shenaniganslabs.io\/2019\/01\/28\/Wagging-the-Dog.html#solving-a-sensitive-problem\" target=\"_blank\">https:\/\/shenaniganslabs.io\/2019\/01\/28\/Wagging-the-Dog.html#solving-a-sensitive-problem<\/a><\/li>\n<li><a href=\"https:\/\/exploit.ph\/cve-2021-42287-cve-2021-42278-weaponisation.html\" target=\"_blank\">https:\/\/exploit.ph\/cve-2021-42287-cve-2021-42278-weaponisation.html<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-sfu\/4a624fb5-a078-4d30-8ad1-e9ab71e0bc47#gt_2214804a-4a44-46f4-b6d2-a78f4ff39a39\" target=\"_blank\">https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-sfu\/4a624fb5-a078-4d30-8a<br \/>  d1-e9ab71e0bc47#gt_2214804a-4a44-46f4-b6d2-a78f4ff39a39<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/WazeHell\/sam-the-admin\" target=\"_blank\">https:\/\/github.com\/WazeHell\/sam-the-admin<\/a><\/li>\n<\/ul>\n<div>\u00a0<\/div>\n<div><i>Learn more about\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=FortiGuardLabs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0global threat intelligence and research and the\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/fortiguard-services-bundles.html?utm_source=blog&amp;utm_campaign=fortiguard-service-bundles\"><i>FortiGuard Security Subscriptions and Services<\/i><\/a><i>\u00a0portfolio.<\/i><\/div>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds\/_jcr_content\/root\/responsivegrid\/image.img.png\/1641341664652\/img1.png\"\/><br \/>FortiGuard Labs analyzes vulnerabilities in Microsoft Active-Directory (CVE-2021-42278 and CVE-2021-42287). Analysis shows that by combining them, it is possible for a regular user to easily impersonate a domain admin. Learn more about the exploitation of these vulnerabilities.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17992","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17992"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17992\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}