In November 2014, Microsoft issued a critical patch addressing a Kerberos issue on domain controllers. This vulnerability enables an attacker to leverage any authenticated session to create a Kerberos ticket which can have any group membership in the Active Directory domain, to include membership in domain admins, schema admins, enterprise admins, or BUILTIN\Administrators. In addition, a toolkit designed to exploit this vulneravbility has been published online since the beginning of December.
Diving Into Kerberos
Kerberos is an authentication solution designed to provide single sign-on authentication to resources which exist within a trusted domain. A standard Kerberos authentication consists of four exchanges:
- AS-REQ: A request to authenticate a user in the interest of gaining a ticket granting ticket (TGT) over port TCP 88
- AS-REP: A reply from the Kerberos key distribution center (KDC) which contains a ticket granting ticket (TGT) if the authenticaiton was successful
- TGS-REQ: A request made by the client to gain access to a resource using the previously attained TGT as a credential
- TGS-REP: A reply from the Kerberos key distribution center (KDC) which contains a service ticket (ST) to the requested resource if the TGS-REQ was successful
Privileged Attribute Certificates (PAC)
During the authentication process, a client can (and usually does) request a privileged attribute certificate, or PAC. A PAC contains information about the authenticated session that has been validated by a domain controller, most importantly group membership. Without a valid PAC, only the identity of the user requesting access to a service should be considered valid. Domain group membership provided outside of the PAC has not been validated by a domain controller and is therefore subject to tampering.
MS14-068 addresses a logic flaw in the Kerberos processing code on domain controllers. This flaw allows an attacker to trick a domain controller into issuing a valid PAC containing any group membership the attacker chooses by using a forged PAC.
To begin, the attacker authenticates to Active Directory and requests a TGT without a PAC and using MD5 hashing for authenticity. Once the attacker obtains the TGT, they forge a PAC containing their desired Active Directory identity and group membership. This new PAC is inserted into a TGT and submitted in a TGS-REQ. The domain controller overlooks the field specifying that there is no PAC, reads the forged PAC, and issues a valid TGT with a valid PAC containing the group membership that was specified within the forged PAC. This TGT can then be inserted into the user’s session.
It is important to note that there are exploit kits currently available for download. In addition, it is critical that all domain controllers are patched against this vulnerability. A single unpatched domain controller puts the entire domain at risk.
- Security logs can be mined for success entries for event ID 4624 where the Security ID field does not match the proper account name (this does not catch all instances of the attack)
- Network monitoring can be used to detect Kerberos TGS-REQ packets (UDP port 88) where a PAC exists, but the field specifying whether a PAC exists is set to false
- After patching, attempts at exploitation will appear in the security log as failure audits for event ID 4769 with error code 0xF
- Microsoft issued a patch for this vulnerability. The patch must be applied to all Domain Controllers.
- Gaining the initial credential for use with the script requires either the user’s password or their password hash. Obtaining the password hash without knowing the password requires seDebug (administrator) rights.
- Using the resulting TGT requires the seDebug right on the computer to change the active TGT used in memory.
Utilizing the Windows 2000 Authorization Data in Kerberos Tickets for Access Control to Resources
Kerberos for the Busy Admin
Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)
Additional information about CVE-2014-6324