CVE-2020-1472 NetLogon Privilege Escalation Vulnerability
Vulnerability background
In the security bulletin released by Microsoft in August 2020, there is a very urgent vulnerability - CVE-2020-1472 NetLogon Privilege Escalation Vulnerability. Through this vulnerability, an unauthenticated attacker only needs to be able to access port 135 of the domain controller to connect to the domain controller through the NetLogon remote protocol and reset the hash of the domain controller machine, so that the attacker can use the machine account of the domain controller to export Hash of all users in the domain (the machine account of the domain controller has DCSync permission by default), and then take over the entire domain. The reason for this vulnerability is that the encryption module of Netlogon protocol authentication is flawed, which allows attackers to pass the authentication without credentials. After passing the authentication, call the RPC function NetrServerPasswordSet2 in the NetLogon protocol to reset the Hash of the account of the domain control machine, thereby taking over the whole domain.
Vulnerability principle
The vulnerability was discovered by Secura security researcher Tom Tervoort and domestic security researchers Peng Zhiyong and Li Xuefeng. Tom Tervoort published a white paper on the detailed principle and exploitation of the vulnerability, and named it ZeroLogon. The following is an analysis of the running process of the NetLogon service and the cause of the vulnerability.
1. NetLogon service
The NetLogon service provides a secure channel for intra-domain authentication and is used to perform various tasks related to domain user and machine authentication, most commonly allowing users to log on to servers using the NTLM protocol. By default, the Netlogon service runs in the background of all machines in the domain, and the executable file path of the service is C:\Windows\system32\lsass.exe, as shown in the figure: