Nintendo-Power

Daily Gaming news, videos, reviews, tips & guides. Let's share our love of BigN games!

Microsoft recommends fast linking of active directories

Microsoft recommends fast linking of active directories

Proof-of-concept code has recently become available online, which misuses security holes in Microsoft’s Active Directory to extend rights. On November Patch Day, the Redmond-based company released an update that closes vulnerabilities in the service. Microsoft therefore urges you to import updates for AD.

Redmond-based company describes how easy it is to use spaces to obtain domain administrator rights. The active directory contains user and system accounts. These include, among other things, the sAMAccountName (SAM account) – computers that traditionally have $ at the end of the SAM account, for example CLIENT1$. There are no restrictions or restrictions on the use of the $ signature on SAM account names.

The first vulnerability seems harmless at first (CVE-2021-42278, High) In the AD standard configuration, a user can transfer up to ten system accounts. Microsoft explains that the user can also change sAMAccountName as the owner of such a computer account.

Second vulnerability AD (Kerberos accreditation in CVE-2021-42287) High) Ticket issuing ticket (TGT) and ticket issuing service (TGS) are requested from the main distribution center (KDC). If KDC does not find an account in the TGS request, repeat the search with the attached $ code.

The combination of these two holes will explode: if the domain controller has a SAM account DC01$ The attacker can create a new computer account and save its SAM account DC01 Rename. This triggers Kerberos’ request for a ticket, which then assigns a different name to the system account in the SAM account.

See also  Hundreds of accounts were closed without a refund

With TGT obtained DC01 The attacker then initiates the TGS request. The Key Distribution Center could not find the system account and automatically adds the $ code – the search is now successful and the attacker is granted rights. DC01$: Domain-Administrator.

In one Blog post Recommended by MicrosoftTo install updates available from November, the concept tool was released to take advantage of a mix of vulnerabilities. In addition, the company describes how such manipulations can be monitored through Microsoft’s 365-Defender “advanced hunting” functionality.

Since the SAM account name changes are associated with event ID 4662, administrators should confirm that this event is logged in. This will expose potential attacks on Windows logs.


(dmk)

To the home page