Everyone is DA
CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
This Blog illustrates the vulnerabilities CVE-2021-42278 and CVE-2021-42287, the attack chain to gain Administrative Privileges on the domain from a standard domain user privilege. I have also explored this attack path for Forests too (Root-Child domains and External domain with two-way transitive trusts)
Theory and Background
I guess last two months of 2021 researchers have many vulnerabilities, while Log4J are still being digged by researchers. Adversaries have found a way to obtain full administrative privileges domains by weaponizing CVE-2021-42287 and CVE-2021-42278 vulnerabilities.
CVE-2021-42278:
Machine accounts in Active Directory end with $
but there is no validation for it. This allows any domain user (attacker) to spoof the Domain Controller's machine accounts and gain administrative privileges
CVE-2021-42287:
The flaw is present in the KDC misconfiguration allowing any computer account to impersonate domain controllers. For requesting Service Tickets (ST), Ticket Granting Ticket (TGT) is required. While requesting the ST with TGT, if the account name is not present in the domain the KDC automatically adds $
in the account name and searches again. Leveraging this process the domain controller's service ticket can be retrieved by the attacker gaining the administrative privileges.
Lab
My Lab environment for this lab is:
LAB.LOCAL - Root Domain
CHILD.LAB.LOCAL - Child Domain
FOREST.LOCAL - Root Domain which has external bi-directional and transitive trust with LAB.LOCAL
LAB-DC.LAB.LOCAL - Domain Controller of LAB.LOCAL
CHILD-DC.CHILD.LAB.LOCAL - Domain Controller of CHILD.LAB.LOCAL
FOREST-DC.FOREST.LOCAL - Domain Controller of FOREST.LOCAL
LABSVR.LAB.LOCAL - Workstation connected to LAB.LOCAL
C-LABSVR.CHILD.LAB.LOCAL - Workstation connected to CHILD.LAB.LOCAL
Abuse Scenario
By default each of the domain user have privileges to create upto 10 Machine accounts in the domain controller. LAB-DC
is the machine account that was created by the domain user and the DC's name is LAB-DC$
. After retrieving TGT for LAB-DC
, account is deleted or account name is modified. With this ST for itself (S4U) is requested, as the KDC cannot identify the account LAB-DC
it adds $
to the account name and retrieves the service ticket for LAB-DC$
. This allows the attacker to gain DA privileges, via impersonating the domain controller. The attack flow is :
Create a machine account with the domain user privilege
Modify the created or controlled machine account
samaccountname
to a Domain Controller's name without the trailing$
Request the a TGT for the machine account
Reset the controlled machine account
samaccountname
to its old valueRequest a service ticket for cifs,ldap etc. with S4U2self using the obtained TGT
Access the DC.
Attack Path
Last updated