wmic RPC_C_AUTHN_LEVEL_PKT_INTEGRITY support

greenbone / openvas-smb

SMB module for OpenVAS Scanner

GNU General Public License v2.0

47 stars 47 forks source link

wmic RPC_C_AUTHN_LEVEL_PKT_INTEGRITY support #41

Closed mguend closed 2 years ago

mguend commented 3 years ago

Expected behavior

wmic should be able to use RPC_C_AUTHN_LEVEL_PKT_INTEGRITY

Current behavior

wmic can not use RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. After Update KB5005568 of Windows Server 2019 every wmic query will result in an error in windows event log. This leads to various Problems as shorter eventlogs and heavy load of the event log service. https://docs.microsoft.com/en-us/answers/questions/564347/server-2019-update-kb5005568-sept-2021-forcing-new.html Microsoft plans to make RPC_C_AUTHN_LEVEL_PKT_INTEGRITY mandatory in Q2 2022: https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Steps to reproduce

make query to windows server 2019 with update KB5005568
Look for this error message in eventlog of queried system: EVENT LOG System EVENT TYPE Error OPCODE Info SOURCE Microsoft-Windows-DistributedCOM EVENT ID 10036 USERNAME DOMAIN\svc.panos.userid MESSAGE The server-side authentication level policy does not allow the user DOMAIN\svc.panos.userid SID (DOMAIN\svc.panos.userid) from address to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

zingaro1972 commented 3 years ago

Hi, there are news for this questions ? I tried the same test but the login/autentication does not works (NT LOGIN DENIED ), with the option " --use-security-mechanisms="RPC_C_AUTHN_LEVEL_DEFAULT" into wmic command ,,,

mguend commented 3 years ago

Hi, i ended up using this python lib and example to create a wmic replacement: https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiquery.py

tofurky commented 2 years ago

it turns out that wmic already can connect using RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, it's just not very straightforward as to how this is specified.

check the following format string:

https://github.com/greenbone/openvas-smb/blob/50dda90ef4bab5fa3368932f0a2df747ce557f77/samba/lib/com/dcom/main.c#L508

options can be added to a host specification like so:

//ncacn_ip_tcp:1.2.3.4[sign]

or the defaults could be changed by modifying the line in lib/com/dcom/main.c to be:

char *bindstr = talloc_asprintf(c, "ncacn_ip_tcp:%s[sign]", server);

there's a couple other options that can be passed, like 'seal' i.e. [sign,seal] or [spnego] [ntlm]. see the following for a list of flags: https://github.com/greenbone/openvas-smb/blob/50dda90ef4bab5fa3368932f0a2df747ce557f77/samba/librpc/rpc/dcerpc_util.c#L97-L151

using sign should work at least as far back as server 2003, so it's probably safe to make it the default.

jjnicola commented 2 years ago

Thanks for reporting and explain the solution for the cmd line tool. I have prepare a PR to solve the nasl part, so now the options can be passed to the function as well via nasl.