Rewterz Threat Alert – CVE-2020-1472 – Attackers Exploiting ‘ZeroLogon’ Windows Flaw – IoCs and PoC

Severity

High

Analysis Summary

Microsoft reported that attackers are exploiting a particularly dangerous flaw in Windows Server systems that could be used to give attackers the access to a vulnerable corporate network. 

This vulnerability directly affects domain controllers (DC) in active directories (AD). Due to a bug in the incorrect implementation of AES-CFB8 in the Netlogon protocol, an attacker could set a new password without further requirements, all in order to take complete control of the DC and gain the administrator user credentials. The failure is located in the initial authentication handshake, since authentication is generally bypassed, therefore, an attacker only has to establish a TCP connection with a vulnerable domain controller, simply by being within the local network it would be enough to exploit this flaw, since it does not require any type of domain credential.

Attack Patterns

• Privilege Abuse
• Privilege Escalation
• Restful Privilege Elevation

Associated PoCs

ZeroLogon Severe Vulnerability (CVE-2020-1472) already has PoC (Proof of Concept) and public exploit working and is very dangerous. The bug was fixed in Microsoft’s security updates for August 2020. However, this week at least four public PoC exploits were released for the bug on Github. Even the popular mimikatz tool has added support to exploit the vulnerability more quickly via RPC.

It is an exploitable vulnerability only with having visibility in the DC network, with low technical complexity, without requiring privileges and without requiring the interaction of a legitimate user. The vulnerability is discovered in all versions of Windows:

Due to this bug in the AES implementation, you can get full control of the DC, and set an empty password on the domain. Due to the lack of authentication when exploiting this security flaw, this vulnerability has been called “Zerologon”.
PoC ZeroLogon CVE-2020-1472 Public Exploits

Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472

• https://3g2upl4pq6kufc4m.onion/?q=%22https%22+secure+etosoftware+%22newlogin%22+site:social.technet.microsoft.com
• https://github.com/batmanli61/Zerologon
• https://github.com/k8gege/CVE-2020-1472-EXP
• https://github.com/VoidSec/CVE-2020-1472
• https://github.com/risksense/zerologon
• https://github.com/sv3nbeast/CVE-2020-1472
• https://github.com/zeronetworks/zerologon
• https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon
• https://github.com/dirkjanm/CVE-2020-1472
• https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2020-1472
• https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py
• https://github.com/bb00/zer0dump
• https://github.com/risksense/zerologon/

Impact

• Privilege Escalation
• Privilege Abuse
• Unauthorized Access

Affected Vendors

Microsoft

Affected Products

• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server version 1903 (Server Core installation)
• Windows Server version 1909 (Server Core installation)
• Windows Server version 2004 (Server Core installation)

Indicators of Compromise

MD5

• 19ff12325546bdb01adfcf96e7e747c3
• 145459f51dba94635b676305e1879d81
• 96b2532ece1f721a1c4ebf714d33f5da
• 1d075193b9c51dbeb9ca38bebe03fe52

SHA-256

• 50af4367eadd55236d085d8221815ea06992d6c0e1ab3ed6848dc3bdaca6f7dd
• 6c07d9e28c2f83966b4b52e0fe011318cd939318f6dc9900cbf827f0bac04683
• 6dd6f3f6de51816e17fe826d6848dc04ce8327df00f5b667a83e3a4ac7a8cb5d
• c33a65409db7ea9ced3d7e9d9df80a4e2cef77b787ac47ff949764da970ec602

SHA1

• 6bdac6ffbbd4a1192248085c78638b35f572d14b
• 246abf8b8788cd1e7806b9d129f3d48d3fd849d6
• e23ff79c1599e273e3af67b842997e3d11603dfb
• 14353c6f8f39a312951b73e55470715fe71b5360

Remediation

• Block the threat indicators at their respective controls.
• Immediately apply patches for this vulnerability.
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
• Block additional IoCs from previous advisory as well.