Posted on 12/15/2015 1:41:21 PM PST by dayglored
Security researcher @dfirblog has discovered what he calls a devastating flaw in Windows' Kerberos authentication system.
The flaw cannot be fixed and the only solution is to introduce and use Microsoft's Credential Guard program to prevent passwords from being stored in memory, according to his extensive blog post.
The flaw results from how the third-party authentication system creates secret keys: by using the password associated with a disabled username (krbtgt). That password is rarely changed, making it possible to bypass the authentication system altogether and allow an attacker to grant themselves admin privileges, as well as create secret passwords for existing users and new users that don't exist.
Although some of the entry points are time-limited - the system will seek to validate accounts after 20 minutes - because it is possible to create fake users without limit, it is possible to access a system incessantly.
Kerberos is a default authentication protocol in Windows networks and authentication clients and servers. A flaw in the system noticed last year, for example, would enable an attacker to compromise an entire network, including installing programs and deleting data. This flaw appears to be very similar.
Kerberos, or Cerberus, is a mythical three-headed dog that guarded the underworld. He was outfoxed a few times, sometimes through brute strength, but Orpheus managed to lull the fearsome dog to sleep by playing his lyre before sneaking past. Access all areas
Dfirblog notes that the secret keys are generated to avoid having to send passwords across the network to authenticate users and are derived from user passwords and stored in memory.
But the secret keys are not salted and use the NT LAN Manager (NTLM) hash of the user as a key, so are relatively easily retrieved. The krbtgt user is created when the system is first installed and is inactive, so it can remain untouched on a system for years - providing ready access to a hacker.
The post then goes into some detail about what can be done once into the system, including adding new users, producing secret second passwords for existing users, and downloading files on the systems to review later.
Dfirblog notes: "Mitigation of most of these attacks is not possible, as this is simply how Kerberos works in the Windows environment ... For the most part, you need to focus on protecting privileged accounts at all costs, because this is what attackers are after and protecting everyone is not possible. The most effective mitigation at the moment seems to be Protected Users group and Credential Guard."
Update: A Microsoft spokesperson has told us in response to the flaw: "We are aware of the Golden Ticket and Pass-the-Hash techniques and encourage customers to follow our guidance at www.microsoft.com/pth to help protect themselves. It is important to be aware that only organizations that already have a fully compromised domain controller are vulnerable to this technique.
Thanks to ShadowAce for the ping!!
Kerberos, or Cerberus, is a mythical three-headed dog that guarded the underworld.
He was named by Hades.
Kerberos means “spotted”.
So yeah:
The god of the Greek underworld named his three-headed guardian dog “Spot”.
Is this just on servers or is it something all users have to worry about?
I assume it's mainly a problem for servers in business network settings (Active Directory authentication for example), and not as much of a problem for your typical home user.
bookmark
Until you read the last line.
If they already own your DC you're screwed anyway.
Yeah, so this is only a problem if your DC is already hijacked lol... well by that point you’ve got a ton shit to be worried about!
I just had the fun surprise of Windows 10 after about 2 months. One of the updates wiped out the installations of my CAD FEA and CNC software. GREAT!!! And it’s too late to roll it back and the only solution is to upgrade my software...To the tune of $8500. Luckily it’s only one laptop and my old one still works fine.
Back to Windows 7
This admin vulnerability sounds bad. But it sounds to me something Obama is very interested in.
Is it a FLEXLM license issue? I'm kinda worried about that myself.
Taking a peek at the wayback archive shows that MS has known about this since 2014 at least.
Microsoft crud is just to complex to comprehend. It has gotten well away from its authors. Even USB mice don’t work correctly any longer ... I suppose contact bounce isn’t being taught in Microsoft Land any longer.
I get that too. Thought it was just me.
As I understand it Kerberos authentication is only used in enterprise environments.
I think the point is that no vulnerability should be "excused away". Flaws -- regardless of where and what they are -- should get identified, analyzed, and fixed.
I'm sure you're not actually saying that there's no value to fixing the vuln, right?
Depends on your definition of "enterprise". You only need an Active Directory server (domain controller) and half a dozen Windows client machines to consider using Kerberos auth, if you think it makes sense in your network. You don't have to be one of the big guys.
“to complex to comprehend”
I turned on my virus-free pretty clean home W10 and ran a netstat... got 4 or 5 pages of active connections. Half of them don’t make a lick of sense and there’s no info on the web. I just have to go along on faith...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.