Zerologon

CSCC LABS
3 min readOct 9, 2020

--

What is Zerologon Vulnerability?

Zerologon, tracked as CVE- 2020- 1472, is an authentication bypass vulnerability in the Netlogon Remote Protocol (MS- NRPC), a remote procedure call (RPC) interface that Windows uses to authenticate users and computers on domain-based networks. It was described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers. It was designed for specific tasks such as maintaining relationships between members of domains and the domain administrator, or between multiple domain administrators across one or multiple domains and replicating the domain controller database.

All federal agencies need to patch a critical privilege escalation flaw that affects Windows servers that could allow hackers to take over Windows networks.

- US Cybersecurity and Infrastructure Security Agency Friday, September 18

  1. Impersonate the identity of any computer on a network when trying to authenticate against the domain controller.
  2. Disable security features in the Netlogon authentication process.
  3. Change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords).

Zerologon is a privilege escalation vulnerability and is rated as critical by Microsoft and mentioned in the company’s original advisory.

How does it work?

MS- NRPC’s handshake and authentication involve the use of AES- CFB8 (8- bit cipher feedback) mode. This is a more obscure variant of the AES block cipher that is designed to work with blocks of 8 bytes of input instead of the regular 16 bytes (128- bit).

Bypassing authentication in this case means the attacker can trick a domain controller to believe it’s communicating with a certain authenticated user without actually knowing the real password of that user. This is just the first step in the exploit chain. Another step is to disable signing and sealing? encryption for the communication channel? which is optional and can be controlled by the client as the server will not refuse clients that don’t request encryption. Finally, attackers can request a password change for the user they impersonate. This may change the password stored in the active directory of the network, not the password stored in the local PC.

Mitigations

Patching Zerologon is not an easy task for Microsoft, as the company has to modify billions of devices that are connecting to corporate networks. Microsoft released a temporary fix for the Zerologon attack in the August month. The company has released a Python script that can tell administrators if their domain controller has been patched correctly not. The complete patch is scheduled for February 2021.

--

--