게시일: 2020. 10. 7 오전 6:03:22
Blog post 11 September 2020, by Tom Tervoort, Senior Security Specialist and Ralph Moonen, Technical Director at Secura
Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.
Secura's security expert Tom Tervoort previously discovered a less severe Netlogon vulnerability last year that allowed workstations to be taken over, but the attacker required a Person-in-the-Middle (PitM) position for that to work. Now, he discovered this second, much more severe (CVSS score: 10.0) vulnerability in the protocol. By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.
The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.
Secura urges everybody to install the patch on all their domain controllers as fast as possible. Please refer to Microsoft’s advisory. We published a test tool on Github, which you can download here: https://github.com/SecuraBV/CVE-2020-1472 that can tell you whether a domain controller is vulnerable or not.
If you are interested in the technical details behind this pretty unique vulnerability and how it was discovered, download the whitepaper here.
출처 : https://www.secura.com/blog/zero-logon
=====================================
이 취약점과 관련된 exploit 글을 읽어보았다. (https://blog.diffense.co.kr/2020/10/06/Zerologon.html?fbclid=IwAR0dz8COLHRvmDCETyFWuUYI-_GJg5sCkVEql561mDRXRkoFSjqv6rS1bw8)
최종적으로 Active Directory 상의 모든 Account의 패스워드를 초기화 할 수 있는 취약점으로 연결시 발생하는 보안 프로토콜에서 발생한다.
AES-CFB 방식을 사용하여 암호화를 하고 AES는 충분히 안전하다고 생각할 수 있지만, 이번 취약점의 경우에는 iv의 값을 zero(0)으로 고정시켜서 발생한 취약점이다. 실제 취약점을 구현한 POC에서 2000번의 인증을 100% 통과한 것을 보아 iv값을 설정하는데에 있어서 중요함을 알 수 있다. CVSS 10점으로 평가된 취약점인 만큼 시스템 해킹시에 이러한 암호 모듈도 눈여겨보는 관점을 가질 필요가 있다고 생각하게 되었다.