Proof-of-concept code has recently become available online, which misuses security holes in Microsoft’s Active Directory to extend rights. On November Patch Day, the Redmond-based company released an update that closes vulnerabilities in the service. Microsoft therefore urges you to import updates for AD.
The gap can be easily exploited
Redmond-based company describes how easy it is to use spaces to obtain domain administrator rights. The active directory contains user and system accounts. These include, among other things, the sAMAccountName (SAM account) – computers that traditionally have $ at the end of the SAM account, for example
CLIENT1$. There are no restrictions or restrictions on the use of the $ signature on SAM account names.
The first vulnerability seems harmless at first (CVE-2021-42278, High) In the AD standard configuration, a user can transfer up to ten system accounts. Microsoft explains that the user can also change sAMAccountName as the owner of such a computer account.
Second vulnerability AD (Kerberos accreditation in CVE-2021-42287) High) Ticket issuing ticket (TGT) and ticket issuing service (TGS) are requested from the main distribution center (KDC). If KDC does not find an account in the TGS request, repeat the search with the attached $ code.
Connect the loose ends
The combination of these two holes will explode: if the domain controller has a SAM account
DC01$ The attacker can create a new computer account and save its SAM account
DC01 Rename. This triggers Kerberos’ request for a ticket, which then assigns a different name to the system account in the SAM account.
With TGT obtained
DC01 The attacker then initiates the TGS request. The Key Distribution Center could not find the system account and automatically adds the $ code – the search is now successful and the attacker is granted rights.
Install updates and record events
In one Blog post Recommended by MicrosoftTo install updates available from November, the concept tool was released to take advantage of a mix of vulnerabilities. In addition, the company describes how such manipulations can be monitored through Microsoft’s 365-Defender “advanced hunting” functionality.
Since the SAM account name changes are associated with event ID 4662, administrators should confirm that this event is logged in. This will expose potential attacks on Windows logs.
“Avid writer. Subtly charming alcohol fanatic. Total twitter junkie. Coffee enthusiast. Proud gamer. Web aficionado. Music advocate. Zombie lover. Reader.”