Cisco Talos is tracking a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials.
Typical Netlogon communication :
Client sends a client challenge which includes an eight-byte challenge.
Server responds with a server challenge including its eight-byte challenge.
Client and server compute a shared session key
Client encrypts the shared session key producing a client credential
Server encrypts the shared session key producing a server credential
The cryptographic primitive used for the client and server to generate credential values is implemented in the function `ComputeNetlogonCredential`, which takes the eight-byte challenge input and performs a transformation with the secret session key which produces an equal length output. This mode encrypts each byte of the plaintext by
Prepending a 16-byte IV to the plaintext and applying AES to the first 16 bytes
Taking the first byte of the AES output and XORing it with the next plaintext byte and repeating until all bytes of the plaintext have been encrypted.
Throw away IV
The IV is not randomly generated but fixed and will always consist of 16 null bytes. Thus a crafted plaintext of all nulls has a one in 256 chance of returning an all-null ciphertext. This can be exploited by sending a crafted server r ..
Support the originator by clicking the read the rest link below.
