0x01 Vulnerability summary
On August 11, 2020, Microsoft issued a security bulletin, announcing information about the Netlogon elevation of privilege vulnerability (CVE-2020-1472). Since the 12th, major security research teams have made loopholes notices on the vulnerability.
The following figure is an assessment of the influence of a certain factory on the vulnerability:
0x02 vulnerability details
The NetLogon component is an important functional component on Windows. It is used to authenticate users and machines on the intra-domain network, and to replicate the database for domain control backup. It is also used to maintain domain members and domains, between domains and domain control. The relationship between domain DC and cross-domain DC.
When an attacker uses the Netlogon Remote Protocol (MS-NRPC) to establish a vulnerable Netlogon secure channel to a domain controller, an elevation of privilege vulnerability exists. When this vulnerability is successfully exploited, the attacker can run a specially designed application on the device in the network without passing the authentication, and obtain the administrator rights of the domain controller.
0x03 Scope of influence
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)
0x04 vulnerability verification
payload:
python3 CVE-2020-1472.py DC-name NetBIOS-name Target-ip
Note: If you don’t know the target domain controller DC-name and NetBIOS-name, you can use nmap to scan the target
nmap -A IP
0x05 repair suggestion
General repair recommendations
You should update the Microsoft Windows version in a timely manner and keep Windows automatic updates turned on.
Windows server / Windows detects and starts the Windows automatic update process as follows
• Click the start menu and select "Control Panel" in the pop-up menu to proceed to the next step.
• Click "System and Security" on the control panel page to enter the settings.
• In the new interface that pops up, select "Enable or Disable Automatic Updates" in "windows update".
• Then enter the settings window, expand the drop-down menu item, and select the automatic installation update (recommended).
Manual upgrade plan
Use the following link to find the vulnerability patch that matches the operating system version, and download and install the patch.
CVE-2020-1472 | NetLogon Elevation of Privilege Vulnerability --> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
Enable DC forced mode
The forced mode of the open DC, please refer to the link below for details
0x06 timeline
2020/8/11 Microsoft issued a security bulletin
2020/8/12 Domestic manufacturers release notice
2020/9/11 secura public analysis report and PoC
2020/9/16 East Tower Security Academy released a vulnerability warning article
0x07 reference link
https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1472
https://www.secura.com/pathtoimg.php?id=2055
https://github.com/SecuraBV/CVE-2020-1472/
https://github.com/blackarrowsec/redteam-research
Reprinting is a kind of power Sharing is a virtue