Kerberos Security Feature Bypass Vulnerability (Kerberos to NTLM Fallback)

vendor:

Windows

by:

Nabeel Ahmed

7.5

CVSS

HIGH

Security Feature Bypass

287

CWE

Product Name: Windows

Affected Version From: Windows 7 Professional (x32/x64) and Windows 10 x64

Affected Version To: Up until 08/08/2016

Patch Exists: YES

Related CWE: CVE-2016-3237

CPE: o:microsoft:windows

Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-10244/

Other Scripts:

Platforms Tested: Windows 7 Professional (x32/x64) and Windows 10 x64

2016

Kerberos Security Feature Bypass Vulnerability (Kerberos to NTLM Fallback)

This vulnerability allows an attacker to bypass the Kerberos security feature and fallback to NTLM authentication. By exploiting this vulnerability, an attacker with physical access to a Windows machine can change the password of a user with cached credentials without knowing the current password.

Mitigation:

To mitigate this vulnerability, it is recommended to disable password caching and enforce strong password policies.

Source

Exploit-DB raw data:

# Exploit Title: Kerberos Security Feature Bypass Vulnerability (Kerberos to NTLM Fallback)
# Date: 22-09-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64) and Windows 10 x64
# CVE : CVE-2016-3237
# Category: Local Exploits & Privilege Escalation

SPECIAL CONFIG: Standard Domain Member configuration with password caching enabled (default), BitLocker enabled without PIN or USB key.
REPRODUCE:
Prerequisites:
- Standard Windows 7/10 Fully patched (up until 08/08/2016) and member of an existing domain.
- BitLocker enabled without PIN or USB key.
- Password Caching enabled
- Victim has cached credentials stored on the system from previous logon.

This vulnerability has a similar attack path as MS15-122 and MS16-014 but bypasses the published remediation.

STEP 1: Obtain physical access to a desktop or laptop with the above configuration.
STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
STEP 4: Create User with similar name as the previously logged in user. (E.g domain\USER1), and force user to change password upon next login.
STEP 5: Login on the target machine and proceed to the change login screen.
STEP 6: Disable the following (Inbound) Firewall Rules:
- Kerberos Key Distribution Center - PCR (TCP and UDP)
- Kerberos Key Distribution Center (TCP and UDP)
STEP 7: Change the password. (Changing Password screen will appear to hang)
STEP 8: Wait 1 minute before re-enabling the firewall rules defined in STEP 6
STEP 9: Enable firewall rules again and after a few seconds the password should be successfully changed.
STEP 10: Message "Your Password has been changed" is displayed, followed by the following error message "The trust relationship between this workstation and the primary domain failed."
STEP 11: Disconnect Target system's network connection.
STEP 12: Login with the new changed password.

IMPACT: Access gained to the information stored to the target system without previous knowledge of password or any other information. This could also be used to elevate your privileges to local Administrator.

Reference: Video PoC/Demo can be found here: https://www.youtube.com/watch?v=4vbmBrKRZGA
Reference: Vulnerability discovered by Nabeel Ahmed (@NabeelAhmedBE) of Dimension Data (https://www.dimensiondata.com)