Affected Platforms: Windows
Impacted Users: Any organization with an Active Directory environment
Impact: Unprivileged user can escalate privileges to domain administrator
Severity Level: Critical
On Patch Tuesday of last November, Microsoft released advisories to address several vulnerabilities in Active-Directory. Analysis of these vulnerabilities showed that by combining CVE-2021-42278 and CVE-2021-42287 it is possible, under default conditions, for a regular user to easily impersonate a domain admin. This means that any domain user can effectively become a domain administrator, which makes these vulnerabilities extremely severe. Moreover, there are already several Github repositories with free-to-use PoC code that facilitates the exploitation of these vulnerabilities.
In this post, we will describe how the exploitation of these vulnerabilities works and show how the attack is mitigated by FortiEDR.
Computer account names in Active Directory environments should always end with “$”, however, this is not enforced correctly. The computer account name attribute is “sAMAccountName”. It is possible to see and edit the this attribute manually using the ADSIEdit Tool, as can be seen in Figure 1.
On vulnerable machines it is possible to rename it to a domain controller account name, which is a key step in the exploitation chain.
A security principal name (SPN) is the name that identifies an authenticated entity—for example, machinename$@domainname. SPNs are used by Kerberos as part of the authentication procedures of various entities. It is basically a unique identifier of a service instance and used by Kerberos authentication to associate a service instance with a service logon account.
This may pose a problem when trying to rename a computer account to a domain controller account because changing the samAccountName attribute will trigger a respective change to the SPN of the account. The attempt to change it will fail because an SPN with this name already exists. To overcome this, it is possible to clear the machine “servicePrincipalName” attribute. As a result, privilege to edit the “servicePrincipalName” attribute is also required to exploit this vulnerability.
The Kerberos Key Distribution Center (KDC) is a service of Active Directory that handles Kerberos ticket requests. A Ticket-Granting Ticket, or TGT, is a special type of ticket that can be used to obtain other tickets. TGT is used to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems in the domain. When a request for a service ticket is sent and it is not found, the KDC will automatically lookup the requested ticket appended with “$”.
S4U2self, or Service for User to Self, is an extension that allows a service to obtain a Kerberos service ticket for itself. The service ticket contains the user's groups and can therefore be used in authorization decisions. All Active Directory terms and full explanations can be found here.
The vulnerability can be triggered in a scenario where a user obtains a TGT, the user gets removed, and the previously obtained TGT is used to request a service ticket for another user for themselves—basically, S4U2self. In this case, the user will not be found and a lookup for the user with appended “$” will be executed. And if a domain controller account with the name exists, a service ticket will be granted to the requesting user, making the requesting user a domain administrator.
To exploit this issue, an attacker needs the ability to control a computer account. As mentioned, the attacker needs to be able to modify both the “servicePrincipalName” attribute and “sAMAccountName” attribute. The simplest way to achieve this is to create one. The default configuration in a domain allows an unprivileged user to create up to 10 computer accounts. This is controlled by the MachineAccountQuota attribute.
In summary, the steps to exploit these vulnerabilities to gain domain-administrator privileges are as follows:
1. Enumerate the Active-Directory to find a domain administrator account.
2. Create a new computer account with cleared “servicePrincipalName”.
3. Leverage CVE-2021-42278 to modify the “sAMAccountName” to the domain administrator account name.
4. Get a TGT of the computer account.
5. Restore the computer account name so it will not be found when the KDC looks for it.
6. Leverage CVE-2021-42287 using the obtained TGT to request a service ticket with S4U2Self.
Implementation of the exploit can be found here. Figure 2, below, shows the execution of the exploit code against a vulnerable server:
The combination of CVE-2021-42278 and CVE-2021-42287 vulnerabilities enables unprivileged users to easily become domain administrators. As a result, we urge organizations to apply Microsoft patches KB5008380 and KB5008602 as soon as possible to mitigate the issue.
FortiEDR is able to detect and block exploitation attempts of CVE-2021-42278 and CVE-2021-42287 vulnerabilities. Moreover, it is also capable of tracing the source of the attack:
FortiGuard IPS protects against these exploits with the following signature:
These exploits are detected and prevented in FortiGuard IPS DB 19.228 (FortiGate, FortiADC, FortiProxy) and FortiEDR 5.0. Please ensure your devices have downloaded the latest protections.
For more detail and information on threat hunting across the Fortinet Security Fabric, please see the FortiGuard Outbreak Alert.