Dangerous Zerologon Domain Controller Exploit Discovered In Windows Active Directory
Secura digital security advisors and researchers, have discovered a highly critical vulnerability with Active Directory domain controllers. Rated as a 10 of 10 on the Common Vulnerability Scoring System (CVSS), this exploit, dubbed Zerologon, allows nefarious people to take over the domain controller and execute privilege escalations.
The Zerologon exploit takes advantage of how the Netlogon Remote Protocol works. Typically, this protocol is used for machine and user authentication, as well as updating passwords within a domain. To utilize this exploit, one only needs to set up a TCP connection to the domain controller (DC) and you can spoof a client to go from there.
This client spoofing works over three main parts. The first part is initially tricking the DC into authenticating a session with the client compute. With this, session keys are brute forced since DCs do not terminate accounts after multiple invalid login attempts. This allows for login as any computer on the domain. In part two, typically, session keys are encrypted, but since the compromised device is a “client on the network,” one can disable this encryption by not setting a flag on the authentication calls. Now that encryption is disabled, and because of data sent earlier with the session authentication, clients can authenticate with an amalgamation of that data to get into the DC.
Once a compromised client is in the DC and can act as any computer, one can make a call to set empty passwords which is entirely allowed. The passwords that are changed are only changed locally though, not on the Active Directory, so authentication for direct login is not possible. However, using the local password on the DC can allow for extracting user hashes which can be exploited in their own way once acquired.
This is a highly dangerous exploit as any device on a network with an unpatched domain controller can be exploited. As it is highly dangerous, Microsoft subsequently rated it the highest possible rating of 10 on the CVSS. Microsoft has also shoved a new patch out, so administrators need to download that as fast as possible to fix this. If you want to read up on this exploit from Secura, you can do so here.