Zerologon, also known as CVE-2020-1472, has taken the security world by storm the last several weeks. Initially discovered by researchers at Secura and detailed in a whitepaper released in mid-September, Zerologon, holding a 10/10 CVSS score, is the rare vulnerability that allows any attacker with internal connectivity to a domain controller to elevate to domain administrator access. No previous account compromise or credentials are required, just network access to the target DC.
Microsoft patched the Zerologon vulnerability in a Windows Server security update on August 11, but organizations often take time to apply these updates, leaving themselves vulnerable to attack until they do so. To limit that exploitable window, the Department of Homeland Security’s cybersecurity division issued a rare emergency directive on September 18 requiring federal agencies to patch all domain controllers before September 21 or remove unpatched systems from the network.
So how does Zerologon work? The vulnerability lies in how Microsoft utilizes an initialization vector for a cryptography protocol (AES-CFB8) deployed by the Netlogon protocol run by domain controllers. Among functionality utilizing Netlogon is the procedure to change computer passwords. By sending Netlogon messages to a domain controller containing specially placed zeros, an attacker can connect to the domain controller, impersonate the domain controller itself, and set the domain controller’s machine account password to a null (zeroed) value. The attacker can then pillage secrets, including the password hashes for all Active Directory accounts, from the compromised domain controller by connecting to the DC with a null password.
Exploit Demonstration
Several proof-of-concept exploits for Zerologon have been released in the public domain since Secura’s whitepaper release. These exploits can be used by security researchers, penetration testers and attackers alike. Schneider Downs has tested one of them in our lab. The walkthrough below should demonstrate just how easy it is to take advantage of Zerologon. The code we used to test system vulnerability was released by Secura (available here) and the exploit code came from Dirk-jan Mollenma (available here).
Here’s how the process worked. Once connected to the target network, we checked the unpatched domain controller for vulnerability to Zerologon. This was done by passing two parameters to Secura’s Python script, the NetBIOS name of the target (RANDY) and its IP address.
Success! The script indicated that our target was vulnerable and that exploitation should be possible. The next step was to exploit the vulnerability using Dirk-jan’s exploit code, which set the target domain controller’s machine account password to a null value. We then passed the same two parameters to the exploit code.