Rewterz Threat Alert – CVE-2020-1472 – Attackers Exploiting ‘ZeroLogon’ Windows Flaw – IoCs and PoC

September 25, 2020

Severity

High

Analysis Summary

Microsoft reported that attackers are exploiting a particularly dangerous flaw in Windows Server systems that could be used to give attackers the access to a vulnerable corporate network.

This vulnerability directly affects domain controllers (DC) in active directories (AD). Due to a bug in the incorrect implementation of AES-CFB8 in the Netlogon protocol, an attacker could set a new password without further requirements, all in order to take complete control of the DC and gain the administrator user credentials. The failure is located in the initial authentication handshake, since authentication is generally bypassed, therefore, an attacker only has to establish a TCP connection with a vulnerable domain controller, simply by being within the local network it would be enough to exploit this flaw, since it does not require any type of domain credential.

Attack Patterns

Privilege Abuse
Privilege Escalation
Restful Privilege Elevation

Associated PoCs

ZeroLogon Severe Vulnerability (CVE-2020-1472) already has PoC (Proof of Concept) and public exploit working and is very dangerous. The bug was fixed in Microsoft’s security updates for August 2020. However, this week at least four public PoC exploits were released for the bug on Github. Even the popular mimikatz tool has added support to exploit the vulnerability more quickly via RPC.

It is an exploitable vulnerability only with having visibility in the DC network, with low technical complexity, without requiring privileges and without requiring the interaction of a legitimate user. The vulnerability is discovered in all versions of Windows:

Due to this bug in the AES implementation, you can get full control of the DC, and set an empty password on the domain. Due to the lack of authentication when exploiting this security flaw, this vulnerability has been called “Zerologon”.
PoC ZeroLogon CVE-2020-1472 Public Exploits

Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472

Impact

Privilege Escalation
Privilege Abuse
Unauthorized Access

Affected Vendors

Microsoft

Affected Products

Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server version 1903 (Server Core installation)
Windows Server version 1909 (Server Core installation)
Windows Server version 2004 (Server Core installation)

Indicators of Compromise

MD5

19ff12325546bdb01adfcf96e7e747c3
145459f51dba94635b676305e1879d81
96b2532ece1f721a1c4ebf714d33f5da
1d075193b9c51dbeb9ca38bebe03fe52

SHA-256

50af4367eadd55236d085d8221815ea06992d6c0e1ab3ed6848dc3bdaca6f7dd
6c07d9e28c2f83966b4b52e0fe011318cd939318f6dc9900cbf827f0bac04683
6dd6f3f6de51816e17fe826d6848dc04ce8327df00f5b667a83e3a4ac7a8cb5d
c33a65409db7ea9ced3d7e9d9df80a4e2cef77b787ac47ff949764da970ec602

SHA1

6bdac6ffbbd4a1192248085c78638b35f572d14b
246abf8b8788cd1e7806b9d129f3d48d3fd849d6
e23ff79c1599e273e3af67b842997e3d11603dfb
14353c6f8f39a312951b73e55470715fe71b5360

Remediation

Block the threat indicators at their respective controls.
Immediately apply patches for this vulnerability.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
Block additional IoCs from previous advisory as well.