Active Directory defaults lead to no-fix PrivEsc vulnerability

By on
Active Directory defaults lead to no-fix PrivEsc vulnerability
Mor Davidovich

Researcher publishes proof-of-concept.

A security researcher has published a tool that can take advantage of an unfixable security issue that lets attackers escalate their privileges in Windows domains to those of the SYSTEM superuser.

Called KrbRelayUp, the automated tool builds on the work of other researchers and acts as a wrapper for some of the Rubeus attacker toolset, and the KrbRelay code for the Kerberors network authentication protocol.

EY penetration tester Mor Davidovich, who wrote KrbRelayUp, told iTnews that with default Active Directory settings, the flaw negates the whole concept of user privileges in the local machine context.

It can potentially allow any locally logged on user to take over computers, and there are many exploit scenarios.

"For example, think of a terminal server where a bunch of domain users log in to the same central server.

"An attacker would use KrbRelayUp to elevate their privileges on the terminal server.

"Once elevated privileges has been obtained, the attacker could access the sessions of all the other users on the terminal server, and by extension, their various privileges in the domain (a lot of techniques can be used to achieve this including RDP session hijacking, token manipulation, LSASS dumping and more)," Davidovic said.

Defenders can enforce lightweight directory access protocol (LDAP) signing and channel binding for Windows domains to block the attack.

Davidovich has published further mitigation techinques on Github for KrbRelayUp, along with detection rules. 

Microsoft fixes exploited PetitPotam LSA spoofing vulnerability

Separately, Microsoft said it has now fixed a difficult-to-remedy issue in the Windows Local Security Authority (LSA) authentication component.

Named PetitPotam and discovered by penetration tester Lionel Gilles, the vulnerability has been in the open since July last year.

PetitPotam is a relay for Microsoft's NT LAN Manager (NTLM) security protocols, and it has been abused by ransomware gangs like Lockfile, security vendors say.

It could be used to coerce a domain controller to authenticate against another server with NTLM.

Microsoft said the fix blocks the affected application programming interface calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through the LSARPC interface.

The encrypted file system (EFS) API OpenEncryptedFileRaw, which is often used in backup software continues to work in all versions of Windows, local and remote, Microsoft said.

However, backing up to or from a system running Windows Server 2008 SP2 won't work, as the OpenEncryptedFileRaw will no longer function.

Microsoft issued a patch for PetitPotam in August last year, but it was incomplete, security researcher Benjamin Delpy, who published a mitigation, found.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?