As part of the July Patch Tuesday, Microsoft has released security patches for a serious privilege escalation flaw affecting all Windows operating system versions for enterprises released since 2007.
Experts at Security firm Preempt, discovered two zero-day flaws that affect Windows NTLM security protocols. The vulnerabilities could be exploited by attackers to create a new domain administrator account and take over the target domain.
The NT LAN Manager (NTLM) is an ancient authentication protocol, despite it was replaced by Kerberos in Windows 2000, it is still supported by Microsoft and it is used by many organizations.
The first flaw involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second is related to the Remote Desktop Protocol (RDP) Restricted-Admin mode.
Even if LDAP signing protects from both Man-in-the-Middle (MitM) and credential forwarding, the protocol is not able to fully protect against NTLM relay attacks,
The vulnerability could be exploited by an attacker with SYSTEM privileges to use incoming NT LAN Manager sessions and perform the LDAP operations, including the updating of domain objects.
“This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user.” reads a blog post published by Preempt.
“To realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI) which allows downgrade of an authentication session to NTLM.As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network.”
The analysis published by Preempt also includes a video PoC for credential relay attacks.
The second NTLM vulnerability affects the RDP Restricted-Admin mode that allows users to access to a remote machine without providing their password.
According to Preempt researchers, the RDP Restricted-Admin allows authentication systems to downgrade to NTLM.
This means that it is possible to perform NTLM relay attacks and password cracking against the RDP Restricted-Admin.
“Preempt discovered that RDP Restricted-Admin, which is sometimes referred to (mistakenly) as Kerberosed RDP, allows downgrade to NT LAN Manager in the authentication negotiation. This means that every attack you can perform with NTLM such as credential relaying and password cracking could be carried out against RDP Restricted-Admin.” continues the analysis.
Chaining the two zero-days, an attacker could create a bogus domain admin account whenever an admin connects with RDP Restricted-Admin and get control of the entire domain.
The NTLM flaws have been reported to Microsoft in April, but the company only acknowledged a month later the NTLM LDAP vulnerability (tracked as CVE-2017-8563). Microsoft did not recognize RDP bug, the tech giant classified it as a “known issue” that could be solved with a proper configuration of the network.
Microsoft recommends companies running vulnerable servers with NT LAN Manager enabled to patch them as soon as possible.
Other mitigation actions are:
Microsoft has released patches for 55 security vulnerabilities, including 19 critical issues, in its products, including Edge, Internet Explorer, Windows, Office and Office Services and Web Apps, .NET Framework, and Exchange Server.[adorate banner=”9″]Pierluigi Paganini (Security Affairs – LDAP, NT LAN Manager hacking)