Exploit code for a severe privilege escalation bug in the Netlogon Remote Protocol for Domain Controllers on Windows networks has now been published, and users are advised to apply the August security patch released by Microsoft as soon as possible.
Researchers have developed and published a publicly available exploit for a recently patched Windows vulnerability that can allow access to an organization’s crown jewels—the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.
CVE-2020-1472, as the vulnerability is tracked, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network, either as an unprivileged insider or through the compromise of a connected device.
The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.
Zerologon works by sending a string of zeros in a series of messages that use the Netlogon protocol, which Windows servers rely on for a variety of tasks, including allowing end users to log in to a network. People with no authentication can use the exploit to gain domain administrative credentials, as long as the attackers have the ability to establish TCP connections with a vulnerable domain controller.1