CVE-2020-1472 | NetLogonÌØȨÌáÉý·ì϶¹«¸æ

°ä²¼¹¦·ò 2020-09-15

 

0x00 ·ì϶¸ÅÊö

CVE   ID

CVE-2020-1472

ʱ    ¼ä

2020-09-15

Àà    ÐÍ


µÈ    ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ


Ó°ÏìÁìÓò


 

΢ÈíÔÚ2020Äê8ÔÂ11ÈÕÐÇÆÚ¶þ°ä²¼ÀýÐа²È«²¼¸æʱÅû¶£¬µ±¹¥»÷ÕßʹÓÃNetlogonÔ¶³ÌºÍ̸£¨MS-NRP£©£¨ÓÖ³ÆΪ¡° NetlogonÌØȨÌáÉý·ì϶¡±£©´´½¨ÓëÓò½ÚÔìÆ÷µÄÒ×Êܹ¥»÷µÄNetlogon°²È«Í¨Â·ÏνÓʱ£¬½«´æÔÚÌØȨÌáÉý·ì϶ ¡£¸Ã·ì϶¸ú×ÙΪCVE-2020-1472£¬CVSSÆÀ·ÖΪ10·Ö£¬Ó°ÏìÃæ¹ã£¬·ì϶ÀûÓúó¹ûÑϳÁ ¡£

0x01 ·ì϶ÏêÇé

image.png 

 

CVE-2020-1472ÊÇÒ»¸öÌØȨÌáÉý·ì϶£¬ÆäÓÉÓÚ¶ÔNetlogon»á»°Ê¹ÓÃÁ˲»°²È«µÄAES-CFB8¼ÓÃÜ ¡£AES-CFB8³ß¶ÈÒªÇó£¬Ã¿¸ö´¿Îı¾×Ö½Ú£¨ÈçÃÜÂ룩¶¼±ØÐëÓµÓÐËæ»ú»¯µÄ³õʼ»¯ÏòÁ¿£¨IV£©£¬ÒԱ㲻Äܲ²âÃÜÂë ¡£

NetlogonÖеÄComputeNetlogonCredentialº¯Êý½«IVÉèÖÃΪ¹Ì¶¨µÄ16룬ÕâÒâζ׏¥»÷ÕßÄܹ»½ÚÔì½âÃܵÄÎı¾ ¡£µ±³¢ÊÔÏòÓò½ÚÔìÆ÷£¨DC£©½øÐÐÉí·ÝÑé֤ʱ£¬¹¥»÷ÕßÄܹ»ÀûÓôËȱµãÀ´·ÂÕÕÍøÂçÉÏÈκÎÍÆËã»úµÄÉí·Ý ¡£¶øºó¿ÉÄÜ»á²úÉú½øÒ»²½µÄ¹¥»÷£¬Ô̺¬ÆëÈ«½ÚÔìWindowsÓò ¡£´Ë±í£¬¹¥»÷Õß»¹Äܹ»ÔËÐÐImpacketµÄ¡° secretsdump¡±¾ç±¾´ÓÖ¸±êÓò½ÚÔìÆ÷ÌáÈ¡Óû§¹þÏ£Áбí ¡£

ΪÁËÀûÓô˷ì϶£¬¹¥»÷Õß±ØÒª´ÓÓëÖ¸±êÒ»ÑùµÄ¾ÖÓòÍø£¨LAN£©ÉϵÄÍÆËã»úÌáÒé¹¥»÷ ¡£Ò×Êܹ¥»÷µÄ¿Í»§¶Ë»ò¶³öÓÚ»¥ÁªÍøµÄDC×ÔÉíÎÞ·¨ÀûÓà ¡£¸Ã¹¥»÷ÒÔºýŪÐԵǼ¼Ù×°³ÉÕý³£µÄÓòµÇ¼³¢ÊÔ ¡£Active Directory£¨AD£©±ØÒª½«ÏνӵĿͻ§¶Ë¼ø±ðΪÔÚÆäÂß¼­ÍØÆËÖУ¬¶ø±í²¿µØÖ·Ôò²»»á ¡£

image.png 


¸Ã·ì϶ӰÏìÁìÓòÈçÏ£º

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)


Ä¿Ç°£¬¸Ã·ì϶µÄPoCÒÑ°ä²¼µ½GitHub ÉÏ£¬Õ⽫ÒýÆðÕû¸ö°²È«ÉçÇøµÄ¿í·ºÐËÖºÍÊÔÑé ¡£ÓÉÓÚ×êÑÐÈËÔ±Ò»ÏòÔÚÖÂÁ¦½øÐгɹ¦µÄ¿ª·¢£¬ÑϳÁÇÒÒýÈËÖõÖ÷ÕÅ·ì϶ÍùÍù¸üÄÜÒýÆð°²È«×êÑÐÈËÔ±ºÍ¹¥»÷ÕßµÄ¿í·º¹Ø×¢ ¡£

0x02 ´ëÖý¨Òé

MicrosoftÔڷֽ׶νâ¾ö´Ë·ì϶ ¡£

³õʼ½×¶Î£º

´Ó2020Äê8ÔÂ11ÈÕ°ä²¼µÄWindows¸üÐÂÆðÍ· ¡£ÕâЩ¸üн«Ê¹Óò½ÚÔìÆ÷£¨DC£©ÔÚĬÈÏÇé¿öϱ£»¤WindowsÉ豸£¬¼Í¼²»Çкϻ®¶¨µÄÉ豸·¢ÏÖµÄÊÂÎñ£¬²¢Äܹ»Ñ¡ÔñÆôÓöÔÓµÓÐÏÔÖøÒì³£µÄËùÓÐÓòÏνÓÉ豸µÄ±£»¤ ¡£

µÚ¶þ½×¶Î£º

ÓÚ2021ÄêµÚÒ»¼¾¶È°ä²¼£¬±ê־ȡ¹ý¶Éµ½Ö´Ðн׶Î ¡£DC½«±»ÖÃÓÚÇ¿Ôìģʽ£¬¸ÃģʽҪÇóËùÓÐWindowsºÍ·ÇWindowsÉ豸¶¼Í¨¹ýNetlogon°²È«Í¨Â·Ê¹Óð²È«µÄÔ¶³Ì¹ý³ÌŲÓã¨RPC£© ¡£

½¨¸´½¨Ò飺

1.Ŀǰ΢Èí¹Ù·½ÒÑ°ä²¼°²È«¸üУ¬½¨ÒéʹÓÃWindows Update½øÐиüР¡£

²¹¶¡Á´½ÓµØÖ·£º

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1472

2.¸Ã·ì϶¿ÉʹÓð²È« RPC À´½â¾ö£¬¾ßÌåÐÅÏ¢Çë²Î¿¼Î¢Èí¹Ù·½Êֲ᣺

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1472

3.¿ÉÔÚDCÉÏ¿ªÆôÇ¿Ôìģʽ ¡£

¾ßÌåÐÅÏ¢Çë²Î¿¼Î¢Èí¹Ù·½Îĵµ£º

¡¶How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472¡·

ÎĵµÁ´½Ó£º

https://support.microsoft.com/zh-cn/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

0x03 ÓйØÐÂÎÅ

https://zh-cn.tenable.com/blog/cve-2020-1472-zerologon-vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows?tns_redirect=true

0x04 ²Î¿¼Á´½Ó

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

https://nvd.nist.gov/vuln/detail/CVE-2020-1472

https://github.com/SecuraBV/CVE-2020-1472

0x05 ¹¦·òÏß

2020-08-11 ΢Èí¹Ù·½°ä²¼·ì϶²¼¸æ

2020-09-15  VSRC°ä²¼°²È«¹«¸æ

 

image.png