Everyone is DA

CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

This Blog illustrates the vulnerabilities CVE-2021-42278 and CVE-2021-42287, the attack chain to gain Administrative Privileges on the domain from a standard domain user privilege. I have also explored this attack path for Forests too (Root-Child domains and External domain with two-way transitive trusts)

Theory and Background

I guess last two months of 2021 researchers have many vulnerabilities, while Log4J are still being digged by researchers. Adversaries have found a way to obtain full administrative privileges domains by weaponizing CVE-2021-42287 and CVE-2021-42278 vulnerabilities.

CVE-2021-42278:

Machine accounts in Active Directory end with $ but there is no validation for it. This allows any domain user (attacker) to spoof the Domain Controller's machine accounts and gain administrative privileges

CVE-2021-42287:

The flaw is present in the KDC misconfiguration allowing any computer account to impersonate domain controllers. For requesting Service Tickets (ST), Ticket Granting Ticket (TGT) is required. While requesting the ST with TGT, if the account name is not present in the domain the KDC automatically adds $ in the account name and searches again. Leveraging this process the domain controller's service ticket can be retrieved by the attacker gaining the administrative privileges.

Lab

My Lab environment for this lab is:

  1. LAB.LOCAL - Root Domain

  2. CHILD.LAB.LOCAL - Child Domain

  3. FOREST.LOCAL - Root Domain which has external bi-directional and transitive trust with LAB.LOCAL

  4. LAB-DC.LAB.LOCAL - Domain Controller of LAB.LOCAL

  5. CHILD-DC.CHILD.LAB.LOCAL - Domain Controller of CHILD.LAB.LOCAL

  6. FOREST-DC.FOREST.LOCAL - Domain Controller of FOREST.LOCAL

  7. LABSVR.LAB.LOCAL - Workstation connected to LAB.LOCAL

  8. C-LABSVR.CHILD.LAB.LOCAL - Workstation connected to CHILD.LAB.LOCAL

Abuse Scenario

By default each of the domain user have privileges to create upto 10 Machine accounts in the domain controller. LAB-DC is the machine account that was created by the domain user and the DC's name is LAB-DC$ . After retrieving TGT for LAB-DC , account is deleted or account name is modified. With this ST for itself (S4U) is requested, as the KDC cannot identify the account LAB-DC it adds $ to the account name and retrieves the service ticket for LAB-DC$ . This allows the attacker to gain DA privileges, via impersonating the domain controller. The attack flow is :

  1. Create a machine account with the domain user privilege

  2. Modify the created or controlled machine account samaccountname to a Domain Controller's name without the trailing $

  3. Request the a TGT for the machine account

  4. Reset the controlled machine account samaccountname to its old value

  5. Request a service ticket for cifs,ldap etc. with S4U2self using the obtained TGT

  6. Access the DC.

Attack Path

Last updated