Security researchers at Preempt discovered and reported two zero-day vulnerabilities within the Windows NTLM. These vulnerabilities have a common theme around two different protocols handling NTLM improperly. These vulnerabilities are particularly important as they can possibly enable an attacker to create new domain administrator accounts even when best-practice controls such as LDAP server signing and RDP restricted admin mode are enabled.
According to preempt:
“NTLM is a suite of Microsoft security protocols that enables authentication, integrity, and confidentiality for users. NTLM relay is probably the best kept widely known secret of the hacking world. If you ever invited a pen-testing firm to perform a security audit, they were probably able to compromise your network with some sort of NTLM relay attack.”
The first vulnerability, which Microsoft patched in (CVE-2017-8563) affects unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay.
The vulnerability could enable an attacker with SYSTEM privileges on a target system to manage incoming NTLM sessions and perform the LDAP operations, like updating domain objects, on behalf of the NTLM user.
“The vulnerability here is that while LDAP signing protects from both Man-in-the-Middle (MitM) and credential forwarding, LDAPS protects from MitM (under certain circumstances) but does not protect from credential forwarding at all. This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user. To realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI) which allows downgrade of an authentication session to NTLM.”
The second NTLM vulnerability affects RDP Restricted-Admin mode, this mode enables users to connect to a remote computer without giving their password.
“In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a domain controller. An attacker who successfully exploited this vulnerability could run processes in an elevated context,” Microsoft explained in its advisory.”
“The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of channel binding information.”
All Windows users are recommended to install the latest updates and patches ASAP in order to stay secure.