Stories
Slash Boxes
Comments

SoylentNews is people

New Windows Exploit Lets You Instantly Become Admin. Have You Patched?

posted by Fnord666 on Wednesday September 16 2020, @04:47AM   Printer-friendly
from the plugging-the-holes dept.

Freeman writes:

https://arstechnica.com/information-technology/2020/09/new-windows-exploit-lets-you-instantly-become-admin-have-you-patched/

Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization's crown jewels—the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.

CVE-2020-1472, as the vulnerability is tracked, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network, either as an unprivileged insider or through the compromise of a connected device.

Original Submission

 
This discussion has been archived. No new comments can be posted.
New Windows Exploit Lets You Instantly Become Admin. Have You Patched? | Log In/Create an Account | Top | 5 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 2, Insightful) by aristarchus on Wednesday September 16 2020, @05:25AM

    by aristarchus (2645) on Wednesday September 16 2020, @05:25AM (#1051584) Journal

    Pleonasm: noun. a word that is full of it, a plethora of meaning, over-signification. Redundant. See: Windows vulnerability.

  • (Score: 5, Touché) by nostyle on Wednesday September 16 2020, @05:38AM

    by nostyle (11497) on Wednesday September 16 2020, @05:38AM (#1051586) Journal

    I have spent decades trying to avoid becoming admin on a Windows machine. I don't care how easy you make it.

  • (Score: 3, Interesting) by The Mighty Buzzard on Wednesday September 16 2020, @11:40AM (1 child)

    by The Mighty Buzzard (18) <themightybuzzard@proton.me> on Wednesday September 16 2020, @11:40AM (#1051649) Homepage Journal

    I make it a policy to fire or stop working for, depending on the nature of our business relationship, anyone who insists on Active Directory happening on a job.

    --
    My rights don't end where your fear begins.

    • (Score: 5, Interesting) by JoeMerchant on Wednesday September 16 2020, @12:02PM

      by JoeMerchant (3937) on Wednesday September 16 2020, @12:02PM (#1051653)

      After just 6 months on the job, I managed to steer a 4th generation product design off of Windows OS onto Linux - but couldn't "inspire" the dev team to give up their cozy WPF .NET ecosystem, so a team of 5 of them developed the GUI to run in a VM, while on the Linux side one guy did the signal processing stuff and half a guy did the back end OS things like software updates, file transfer, message passing to the hardware, network interfaces, etc. and three more did embedded systems hardware, wireless comms, etc. I don't want to be in charge, but if I were, I'm pretty sure a team of 3 (who were not resistant to change, good luck finding them) could have developed that same GUI in half the time it took the 5 to get it done in Windows.

      Now, as we expand into networked functionality, marketing informs us that the only thing our customers use for authentication is AD. Luckily, modern AD supports OIDC/OAuth2, so I'm developing that first, but it's entirely possible that the people who buy our products are running AD on outdated servers, and/or running AD in a configuration that our internal security experts call insecure - without OIDC.

      Reading about this vulnerability, it seems like absolute noob stuff: initialize a stream with all zeroes defeating a crypto-shuffler that requires entropy to work. Somebody didn't sanitize their inputs, again.

      --
      Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/

  • (Score: 0) by Anonymous Coward on Friday September 18 2020, @09:45PM

    by Anonymous Coward on Friday September 18 2020, @09:45PM (#1053033)

    It's a really more a 'Microsoft Vulnerability'.

    ActiveDirectory is just Microsoft's name for the version of Kerberos they copy-pasted straight out of BSD years ago. It should come as no surprise that long after doing their usual 'embrace-extend' thing that they're not up to date with upstream.

    That's on them.

    For all the guys dissing AD - it does also do *Authorisation* - which is something that Kerberos is actually *NOT FOR*.
    You see, Kerberos is really for Authentication - are you really that account?

    It comes as no surprise that some closed-source code from MSFT might have a massive glaring vulnerability like this. Especially not as its related to that whole 'extend' thing. They never actually managed the last step with Kerberos -- all the BSD's are quite alive and very healthy, after all. (Being maintained and built by people who *actually use it* and just want to minimise maintenance headaches will do that, every time!)

    But that *was* the MSFT of old. The new management might actually do something half-sane like... track upstream. Rather than sitting way off in some distant fork, like they currently are.

    Kerberos integration is actually quite nice when you configure it properly. Single-Sign on at the machine, and you can get it to do things like automate creation of local accounts, authenticate with everything else on your domain (web servers, but also fileservers, ssh, just about any network service really) in a way that's exactly as secure as you make your Kerberos Domain Controller. User never inputs their password anywhere again - and no web redirects are necessary either. They're just 'already logged in' to everything, on a ticket that will automatically timeout after normally a day or so.

    Obviously, using Window Server for your KDC so you could run AD is currently a very poor choice, showing bad judgement. It's generally recommended that this one holy server be locked away securely, with no easy physical access, and be doing absolutely nothing other than *just* run the KDC.

    Interesting is that one of the other 'extend' things they did concerns joining computers 'to the domain':
    The 'vanilla' Kerberos thing has you securely share a key, preferably not digitally. The MSFT Way is some kind of network-operating obfuscated-secret, pay-no-attention-to-the-man-behind-the-curtain backdoor for transferring the key for the new 'computer account' which allows it the right to even *talk* to the KDC.

    Which seems like a weak point, subverting as it does the whole concept for how Kerberos Domain Authentication actually works. Hmm.
    I imagine mixing concepts like authentication and authorisation is what got them into this particular mess. Get root on the Domain Controller - have root on *every* computer in the domain. Not actually how you'd want the security to fail, if you had a choice. Sounds a bit brittle to me.

(1)