Kerberos in Microsoft Windows - Security Feature Bypass (MS16-101)

2016-09-22 23:05:53

# Exploit Title: Kerberos Security Feature Bypass Vulnerability (Kerberos to NTLM Fallback)
# Date: 22-09-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64) and Windows 10 x64
# CVE : CVE-2016-3237
# Category: Local Exploits & Privilege Escalation

SPECIAL CONFIG: Standard Domain Member configuration with password caching enabled (default), BitLocker enabled without PIN or USB key.
REPRODUCE:
Prerequisites:
- Standard Windows 7/10 Fully patched (up until 08/08/2016) and member of an existing domain.
- BitLocker enabled without PIN or USB key.
- Password Caching enabled
- Victim has cached credentials stored on the system from previous logon.

This vulnerability has a similar attack path as MS15-122 and MS16-014 but bypasses the published remediation.

STEP 1: Obtain physical access to a desktop or laptop with the above configuration.
STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
STEP 4: Create User with similar name as the previously logged in user. (E.g domain\USER1), and force user to change password upon next login.
STEP 5: Login on the target machine and proceed to the change login screen.
STEP 6: Disable the following (Inbound) Firewall Rules:
- Kerberos Key Distribution Center - PCR (TCP and UDP)
- Kerberos Key Distribution Center (TCP and UDP)
STEP 7: Change the password. (Changing Password screen will appear to hang)
STEP 8: Wait 1 minute before re-enabling the firewall rules defined in STEP 6
STEP 9: Enable firewall rules again and after a few seconds the password should be successfully changed.
STEP 10: Message "Your Password has been changed" is displayed, followed by the following error message "The trust relationship between this workstation and the primary domain failed."
STEP 11: Disconnect Target system's network connection.
STEP 12: Login with the new changed password.

IMPACT: Access gained to the information stored to the target system without previous knowledge of password or any other information. This could also be used to elevate your privileges to local Administrator.

Reference: Video PoC/Demo can be found here: https://www.youtube.com/watch?v=4vbmBrKRZGA
Reference: Vulnerability discovered by Nabeel Ahmed (@NabeelAhmedBE) of Dimension Data (https://www.dimensiondata.com)


Fixes

No fixes

In order to submit a new fix you need to be registered.