Windows Vulnerability Could Crack DC Server Credentials Open

Researchers have discovered a vulnerability in the remote procedure calls (RPC) to the Windows Server service that could allow an attacker to gain control of the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to change a server’s certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, found in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July’s Patch Tuesday, but a report by Akamai researcher Ben Barnes, who discovered the vulnerability, provides technical details about the flaw.

The full attack flow provides full control over the DC, its services and data.

Proof of concept exploitation for remote code execution

The vulnerability was found in SMB over QUIC, a transport-layer network protocol that enables communication with the server. It allows connections to network resources such as files, shares and printers. Credentials are also disclosed based on the belief that the receiving system can be trusted.

The flaw could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connect clients, according to Akamai. In a proof of concept, researchers exploited the flaw to steal credentials via forced authentication.

Specifically, they set up an NTLM relay attack. Now deprecated, NTLM uses a weak authentication protocol that can easily expose credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server – which they can then use to authenticate to the remote server with the compromised user’s privileges, allowing for lateral movement and privilege escalation within an Active Directory domain .

“The direction we took was to take advantage of the authentication compulsion,” says Akamai security researcher Ophir Harpaz. “The specific NTLM relay attack we chose involves passing the credentials to the Active Directory CS service, which is responsible for managing certificates in the network.”

Once the vulnerable function is called, the victim immediately sends the network information back to an attacker-controlled machine. From there, attackers can gain full remote code execution (RCE) on the victim machine and establish a launching pad for several other types of attacks, including ransomware, data exfiltration, and others.

“We chose to attack the Active Directory domain controller so that the RCE will have the greatest impact,” adds Harpaz.

Akamai’s Ben Barnea points out with this case, and since the vulnerable service is a core service on every Windows machine, the ideal recommendation is to patch the vulnerable system.

“Disabling the service is not a possible solution,” he says.

Server spoofing leads to credential theft

Bud Broomhead, CEO of Viakoo, says in terms of negative impact on organizations, server spoofing is also possible with this flaw.

“Server spoofing adds additional threats to the organization, including man-in-the-middle attacks, data exfiltration, data manipulation, remote code execution and other exploits,” he adds.

A common example of this can be seen with Internet of Things (IoT) devices attached to Windows application servers; eg. IP cameras all connected to a Windows server hosting the video management application.

“Often IoT devices are set up with the same passwords; get access to one, you’ve got access to them all,” he says. “Spoofing that server can enable data integrity threats, including planting deepfakes.”

Broomhead adds that at a basic level, these exploit paths are examples of breaches of internal system trust — especially in the case of forced authentication.

Distributed workforce expands the attack surface

Mike Parkin, senior technical engineer at Vulcan Cyber, says that while it does not appear that this issue has yet been exploited in the wild, a threat that successfully spoofs a legitimate and trusted server or forces authentication to a non- reliable, cause a host of problems.

“There are a lot of features that are based on the ‘trust’ relationship between server and client and spoofing that would let an attacker exploit any of those relationships,” he notes.

Parkin adds that a distributed workforce significantly expands the threat surface, making it more challenging to properly control access to protocols that should not be seen outside of the organization’s local environment.

Broomhead points out that instead of the attack surface being contained neatly within data centers, the distributed workforce has also expanded the attack surface physically and logically.

“Getting a foothold in the network is easier with this expanded attack surface, harder to eliminate and provides the potential for spillover to employees’ home or personal networks,” he says.

From his perspective, maintaining zero trust or least privileged philosophies reduces the reliance on credentials and the impact of credentials being stolen.

Parkin adds that reducing the risk from attacks like this requires minimizing the threat surface, proper internal access controls, and keeping up to date with patches across the environment.

“Neither is a perfect defense, but they serve to reduce risk,” he says.


Leave a Reply

Your email address will not be published.