CATEGORIES
home News

Dangerous Zerologon Domain Controller Exploit Discovered In Windows Active Directory

by Nathan OrdTuesday, September 15, 2020, 11:41 AM EDT
cybersecurity lock
Secura digital security advisors and researchers, have discovered a highly critical vulnerability with Active Directory domain controllers. Rated as a 10 of 10 on the Common Vulnerability Scoring System (CVSS), this exploit, dubbed Zerologon, allows nefarious people to take over the domain controller and execute privilege escalations.

The Zerologon exploit takes advantage of how the Netlogon Remote Protocol works. Typically, this protocol is used for machine and user authentication, as well as updating passwords within a domain. To utilize this exploit, one only needs to set up a TCP connection to the domain controller (DC) and you can spoof a client to go from there.

This client spoofing works over three main parts. The first part is initially tricking the DC into authenticating a session with the client compute. With this, session keys are brute forced since DCs do not terminate accounts after multiple invalid login attempts. This allows for login as any computer on the domain. In part two, typically, session keys are encrypted, but since the compromised device is a “client on the network,” one can disable this encryption by not setting a flag on the authentication calls. Now that encryption is disabled, and because of data sent earlier with the session authentication, clients can authenticate with an amalgamation of that data to get into the DC.
hero access granted
Once a compromised client is in the DC and can act as any computer, one can make a call to set empty passwords which is entirely allowed. The passwords that are changed are only changed locally though, not on the Active Directory, so authentication for direct login is not possible. However, using the local password on the DC can allow for extracting user hashes which can be exploited in their own way once acquired.

This is a highly dangerous exploit as any device on a network with an unpatched domain controller can be exploited. As it is highly dangerous, Microsoft subsequently rated it the highest possible rating of 10 on the CVSS. Microsoft has also shoved a new patch out, so administrators need to download that as fast as possible to fix this. If you want to read up on this exploit from Secura, you can do so here.
Tags:  Windows, vulnerability, exploit, cybersecurity, (nasdaq:msft), zerologon, active directory
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2023 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment