Called noPac/sAMAccountName, two vulnerabilities on the Windows operating system would allow attackers to take complete control of active directories hosted on this technology. Although the two vulnerabilities have existed since November with the following identifiers CVE-2021-42278 and CVE-2021-42287, they had gone somewhat unnoticed because no proof of concept had been developed that was effective, this all changed in recent days with the development of several scripts that exploit these vulnerabilities and allow with a single command to take remote control of the domain controller.
First proofs of concept exploiting these vulnerabilities came to light on 12th December, revealing multiple infrastructures that probably might not be updated. These vulnerabilities had been previously reported with a medium-high criticality that changed to high critically after the initial POC (proof of concept) was made public. Most versions of Windows are vulnerable since it does not affect the server but the Kerberos service and the assignment of user names validated by the sAMAccountName attribute that is fundamental for the active directory service.
In November, Microsoft published the following patches for mitigating these weaknesses:
- KB5008102 that allows mitigating the vulnerability CVE-2021-42278
- KB5008380 for the vulnerability CVE-2021-42287.
Overall, the attack takes advantage of the Kerberos protocol feature that appends the $ sign to the name of an account when it is not found as a user, mainly because computer accounts typically have this symbol in their name. The system checks to determine if it´s a computer account requesting authentication or a ticket.
On the other hand, the Kerberos authentication process is all about the distribution of tickets to different services and users, allowing them to authenticate against other elements without no need of constantly request credentials.
Therefore, a TGT (Ticket Granting Ticket) is required to present it to the other services and ensure that the user is who he/she claims to be and that the user has the appropriate permissions. This TGT can only be delivered by the Controller Domain.
The problem occurs when a TGT is received for a user and is then removed, after this, the system searches for this user in its information base with the $ symbol, which is the first characteristic mentioned, allowing attackers to be able to impersonate the domain controller if an account is created with the same name as the original domain controller and is later deleted or modified.
The corresponding tests were performed at Etek international to demonstrate in a controlled environment the effectiveness and simplicity of this attack and even though it is true that it is required to have a domain account and that the attacker must have communicated with the controller to impersonate, the published scripts greatly facilitate the exploitation of this, making any internal user can become an attack vector.
We suggested performing the security patching on domain controllers urgently and enabling the audit on these computers to detect any change on sAMAccountName with the event ID 4662, such as event ID 4741 allows identifying the creation of new machines in the system.
These recommendations and the detailed technical description are available at the following Microsoft link:
Use cases *:
- Platform Management and/or Access.
- Tracking of activities of a possible Zero-Day Attack.
- Recognition and/or Vulnerabilities.
- Management of Users and/or Active Directory Groups (Privilege Abuse).
*To have these detections, the client must have contracted SOC services.
Learn more in the following sources associated with the news: