¡¾·ì϶¹«¸æ¡¿Windows Active Directory Óò·þÎñȨÏÞÌáÉý·ì϶£¨CVE-2021-42278£©

°ä²¼¹¦·ò 2021-12-21


0x00 ·ì϶¸ÅÊö

CVE     ID

CVE-2021-42278

ʱ      ¼ä

2021-11-09

Àà      ÐÍ

ȨÏÞÌáÉý

µÈ      ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò


¹¥»÷¸´ÔÓ¶È

¸ß

¿ÉÓÃÐÔ

¸ß

Óû§½»»¥

 ÎÞ

ËùÐèȨÏÞ

µÍ

PoC/EXP

Òѹ«¿ª

ÔÚÒ°ÀûÓÃ


 

0x01 ·ì϶ÏêÇé

image.png

2021Äê12ÔÂ20ÈÕ £¬Î¢ÈíÅû¶ÁËWindows Active Directory Óò·þÎñȨÏÞÌáÉý·ì϶£¨CVE-2021-42287ºÍCVE-2021-42278£©µÄ·ì϶ϸ½Ú £¬²¢ÖÒ¸æ¿Í»§ÊµÊ±½¨¸´Õâ2¸ö·ì϶ ¡£µ±½áºÏÕâ2¸ö·ì϶ʱ £¬¹¥»÷ÕßÄܹ»ÔÚûÓÐÀûÓò¹¶¡µÄ Active Directory »·¾³Öд´½¨Ò»¸öÖ±½Ó½Ó¼ûÓòÖÎÀíÔ±Óû§µÄõ辶 £¬ÔÚ¹¥»÷ÓòÖеÄͨ³£Óû§ºóÇáËɽ«ÆäȨÏÞÌáÉýΪÓòÖÎÀíԱȨÏÞ £¬×îÖÕÊÕÊÜWindowsÓò ¡£

Õâ2¸ö·ì϶¶¼ÊÇ΢Èí11ÔÂ9ÈÕ²¹¶¡ÈÕÖн¨¸´µÄ £¬CVSSÆÀ·Ö¾ùΪ7.5 ¡£ÆäÖÐCVE-2021-42278ÊÇÒ»¸ö°²È«Èƹý·ì϶ £¬¸Ã·ì϶ÔÊÐí¹¥»÷ÕßʹÓÃÍÆËã»úÕÊ»§sAMAccountNameºýŪÀ´¼ÙÒâÓò½ÚÔìÆ÷£¨SAMÃû³Æ·ÂÕÕ£© ¡£CVE-2021-42287ÊÇÓ°ÏìKerberosÌØȨÊôÐÔÖ¤Ê飨PAC£©µÄ°²È«Èƹý·ì϶ £¬ÔÊÐí¹¥»÷Õß¼ÙÒâÓò½ÚÔìÆ÷£¨KDCºýŪ£© ¡£

12 Ô 11 ÈÕ £¬Õâ2¸ö·ì϶µÄϸ½ÚºÍPoC/EXPÒÑÔÚ»¥ÁªÍøÉϹ«¿ª ¡£¾­¹ýÉí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷ÕßÄܹ»½áºÏÕâ2¸ö·ì϶ÔÚĬÈÏÅäÖõÄÇé¿öϽ«Í¨³£È¨ÏÞÌáÉýµ½ÓòÖÎÀíԱȨÏÞ ¡£

image.png

 

Ó°ÏìÁìÓò

CVE-2021-42287¡¢CVE-2021-42278£º

Windows Server, version 20H2 (Server Core Installation)

Windows Server, version 2004 (Server Core installation)

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

 

0x02 ´ëÖý¨Òé

Ä¿Ç°ÕâЩ·ì϶ÒÑÔÚ΢Èí11ÔÂ9ÈÕ°ä²¼µÄ°²È«¸üÐÂÖн¨¸´ £¬½¨ÒéÆôÓÃWindows×Ô¶¯¸üлòÊÖ¶¯ÏÂÔØ×°Öò¹¶¡ ¡£

ÏÂÔØÁ´½Ó£º

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287

 

´Ë±í £¬Î¢Èí»¹·ÖÏíÁËÕâ2¸ö·ì϶µÄÀûÓüì²â·Ö²½Ö¸ÄÏ£º

1.sAMAccountName ¸ü¸Ä»ùÓÚÊÂÎñ 4662 £¬ÇëÈ·±£ÔÚÓò½ÚÔìÆ÷ÉÏÆôÓÃËüÒÔ²¶»ñ´ËÀà»î¶¯ ¡£

2. ´ò¿ª Microsoft 365 Defender ²¢µ¼º½µ½Advanced Hunting ¡£

3.¸´ÔìÒÔϲéÎÊ£¨Ò²¿ÉÔÚ Microsoft 365 Defender GitHub¸ß¼¶á÷ÁÔ²éÎÊÖÐÕÒµ½£© £¬²éÕÒÒì³£É豸Ãû³Æ¸ü¸Ä£º

IdentityDirectoryEvents

| where Timestamp > ago(1d)

| where ActionType == "SAM Account Name changed"

| extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']

| extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']

| where (FROMSAM has "$" and TOSAM !has "$")

        or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org

| project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields

4.ÓÃÓò½ÚÔìÆ÷µÄ¶¨ÃûÔ¼¶¨´úÌæÏóÕ÷ÇøÓò

5.ÔËÐвéÎʲ¢·ÖÎöÔ̺¬ÊÜÓ°ÏìÉ豸µÄÁ˾Ö ¡£Äܹ»Ê¹ÓÃWindows ÊÂÎñ 4741²éÕÒÕâЩÍÆËã»úµÄ´´½¨Õߣ¨ÈôÊÇËüÃÇÊÇд´½¨µÄ£© ¡£

6.½¨Òéµ÷²éÕâЩ±»Ï°È¾µÄÍÆËã»ú²¢È·¶¨ËüÃÇûÓб»±øÆ÷»¯ ¡£

7.È·±£Ê¹ÓÃÒÔÏÂ֪ʶ¿âÎÄÕÂÖÐÏêÊöµÄ²½ÖèºÍÐÅÏ¢¸üÐÂÔâ·ê¹¥»÷µÄÉ豸£ºKB5008102¡¢KB5008380¡¢KB5008602 ¡£

 

0x03 ²Î¿¼Á´½Ó

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699

https://twitter.com/safe_buffer/status/1469742616505954323

https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e

https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-easy-windows-domain-takeover-via-active-directory-bugs/

 

0x04 ¸üа汾

°æ±¾

ÈÕÆÚ

Åú¸ÄÄÚÈÝ

V1.0

2021-12-21

³õ´Î°ä²¼

 

0x05 ¹ØÓÚGA»Æ½ð¼×

GA»Æ½ð¼×¼ò½é

GA»Æ½ð¼×¹«Ë¾³ÉÁ¢ÓÚ1996Äê £¬²¢ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉî½»ËùÖÐÓ×°åÕýʽ¹ÒÅÆÉÏÊÐ £¬ÊǹúÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢°²È«²úÆ·ºÍ°²È«ÖÎÀíƽ̨¡¢°²È«·þÎñÓë½â¾ö¹æ»®µÄÁ캽ÆóÒµÖ®Ò» ¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ° £¬ÔÚÈ«¹ú¸÷Ê¡¡¢ÊÓ×¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö £¬Õ¼Óи²¸ÇÈ«¹úµÄÏúÊÛϵͳ¡¢Çþ·ϵͳºÍ¼¼ÊõÖ§³Öϵͳ£»²¢ÔÚ»ª±±¡¢»ª¶«¡¢Î÷ÄϺͻªÄϲ¼¾ÖËÄ´óÑз¢ÖÐÐÄ £¬±ðÀëΪ±±¾©Ñз¢×ܲ¿¡¢ÉϺ£Ñз¢ÖÐÐÄ¡¢³É¶¼Ñз¢ÖÐÐĺ͹ãÖÝÑз¢ÖÐÐÄ ¡£

¶àÄêÀ´ £¬GA»Æ½ð¼×ÖÂÁ¦ÓÚÌṩӵÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷´´Ðµİ²È«²úÆ·ºÍ×î¼Ñʵ¼Ê·þÎñ £¬Ô®ÊÖ¿Í»§È«ÃæÌáÉýÆäIT»ù´¡ÉèÊ©µÄ°²È«ÐԺͳö²úЧÁ¦ £¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢°²È«²úÒµÁì¾üÆ·Åƶø²»Ð¸ÖÂÁ¦ ¡£


¹ØÓÚGA»Æ½ð¼×

GA»Æ½ð¼×°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄÖØÒªÕë¶Ô³ÁÒª°²È«·ì϶µÄÔ¤¾¯¡¢¸ú×ٺͷÖÏíÈ«Çò×îеÄÍþвµý±¨ºÍ°²È«»ã±¨ ¡£

¹Ø×¢ÒÔϹ«¼ÒºÅ £¬»ñÈ¡È«Çò×îа²È«×ÊѶ£º

image.png