Researchers have discovered a vulnerability
in the remote procedure calls (RPC) for the Windows Server service, which could
allow an attacker to gain control over the domain controller (DC) in a specific
network configuration and execute remote code.
Malicious actors could also exploit the
vulnerability to modify a server’s certificate mapping to perform server
spoofing.
Vulnerability CVE-2022-30216,
which exists in unpatched Windows 11 and Windows Server 2022 machines, was
addressed in July’s Patch Tuesday, but a report
from Akamai researcher Ben Barnes, who discovered the vulnerability, offers
technical details on the bug.
The full attack flow provides full control
over the DC, its services, and data.
Proof of Concept Exploit for Remote
Code Execution
The vulnerability was found in SMB over QUIC,
a transport-layer network protocol, which enables communication with the
server. It allows connections to network resources such as files, shares, and
printers. Credentials are also exposed based on belief that the receiving
system can be trusted.
The bug could allow a malicious actor authenticated
as a domain user to replace files on the SMB server and serve them to
connecting clients, according to Akamai. In a proof of concept, researchers
exploited the bug to steal credentials via authentication coercion.
Specifically, they set up an NTLM
relay attack. Now deprecated, NTLM uses a weak authentication protocol that
can easily reveal credentials and session keys. In a relay attack, bad actors
can capture an authentication and relay it to another server — which they can
then use to authenticate to the remote server with the compromised user’s
privileges, providing the ability to move laterally and escalate privileges
within an Active Directory domain.
“The direction we chose was to take
advantage of the authentication coercion,” Akamai security researchers
Ophir Harpaz says. “The specific NTLM relay attack we chose involves
relaying the credentials to the Active Directory CS service, which is
responsible for managing certificates in the network.”
Once the vulnerable function is called, the
victim immediately sends back network credentials to an attacker-controlled
machine. From there, attackers can gain full remote code execution (RCE) on the
victim machine, establishing a launching pad for several other forms of attack
including ransomware,
data exfiltration, and others.
“We chose to attack the Active Directory
domain controller, such that the RCE will be most impactful,” Harpaz adds.
Akamai’s Ben Barnea points out with this
case, and since the vulnerable service is a core service on every Windows
machine, the ideal recommendation is to patch the vulnerable system.
“Disabling the service is not a feasible
workaround,” he says.
Server Spoofing Leads to Credential
Theft
Bud Broomhead, CEO at Viakoo, says in terms
of negative impact to organizations, server spoofing is also possible with this
bug.
“Server-spoofing adds additional threats
to the organization, including man-in-the-middle attacks, data exfiltration,
data tampering, remote code execution, and other exploits,” he adds.
A common example of this can be seen with
Internet of Things (IoT) devices tied to Windows application servers; e.g., IP
cameras all connected to a Windows server hosting the video management
application.
“Often IoT devices are set up using the
same passwords; gain access to one, you’ve gained access to them all,” he
says. “Spoofing of that server can enable data integrity threats,
including planting of deepfakes.”
Broomhead adds that at a basic level, these
exploitation paths are examples of breaching internal system trust — especially
in the case of authentication coercion.
Distributed Workforce Broadens Attack
Surface
Mike Parkin, senior technical engineer at
Vulcan Cyber, says while it doesn’t appear that this issue has yet been
leveraged in the wild, a threat actor successfully spoofing a legitimate and
trusted server, or forcing authentication to an untrusted one, could cause a
host of problems.
“There are a lot of functions that are
based on the ‘trust’ relationship between server and client and spoofing that
would let an attacker leverage any of those relationships,” he notes.
Parkin adds a distributed workforce broadens
the threat surface considerably, which makes it more challenging to properly
control access to protocols that shouldn’t be seen outside the organization’s
local environment.
Broomhead points out rather than the attack
surface being contained neatly in data centers, distributed workforces have
also expanded the attack surface physically and logically.
“Gaining a foothold within the network
is easier with this expanded attack surface, harder to eliminate, and provides
potential for spillover into the home or personal networks of employees,”
he says.
From his perspective, maintaining zero trust
or least privileged philosophies reduces the dependence on credentials and the
impact of credentials being stolen.
Parkin adds that reducing the risk from
attacks like this requires minimizing the threat surface, proper internal
access controls, and keeping up to date on patches throughout the environment.
“None of them are a perfect defense, but
they do serve to reduce the risk,” he says.
