Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.
Malicious actors could also exploit the vulnerability to modify a server's certificate mapping to perform server spoofing.
Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July's Patch Tuesday, but a report from Akamai researcher Ben Barnea, who discovered the vulnerability, offers technical details on the bug.
The full attack flow provides full control over the DC, its services, and data.
Proof of Concept Exploit for Remote Code Execution
The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.
The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.
Specifically, they set up an NTLM relay attack. Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server — which they can then use to authenticate to the remote server with the compromised user's privileges, providing the ability to move laterally and escalate privileges within an Active Directory domain.
"The direction we chose was to take advantage of the authentication coercion," Akamai security researchers Ophir Harpaz says. "The specific NTLM relay attack we chose involves relaying the credentials to the Active Directory CS service, which is responsible for managing certificates in the network."
Once the vulnerable function is called, the victim immediately sends back network credentials to an attacker-controlled machine. From there, attackers can gain full remote code execution (RCE) on the victim machine, establishing a launching pad for several other forms of attack including ransomware, data exfiltration, and others.
"We chose to attack the Active Directory domain controller, such that the RCE will be most impactful," Harpaz adds.
Akamai's Ben Barnea points out with this case, and since the vulnerable service is a core service on every Windows machine, the ideal recommendation is to patch the vulnerable system.
"Disabling the service is not a feasible workaround," he says.
Server Spoofing Leads to Credential Theft
Bud Broomhead, CEO at Viakoo, says in terms of negative impact to organizations, server spoofing is also possible with this bug.
"Server-spoofing adds additional threats to the organization, including man-in-the-middle attacks, data exfiltration, data tampering, remote code execution, and other exploits," he adds.
A common example of this can be seen with Internet of Things (IoT) devices tied to Windows application servers; e.g., IP cameras all connected to a Windows server hosting the video management application.
"Often IoT devices are set up using the same passwords; gain access to one, you've gained access to them all," he says. "Spoofing of that server can enable data integrity threats, including planting of deepfakes."
Broomhead adds that at a basic level, these exploitation paths are examples of breaching internal system trust — especially in the case of authentication coercion.
Distributed Workforce Broadens Attack Surface
Mike Parkin, senior technical engineer at Vulcan Cyber, says while it doesn't appear that this issue has yet been leveraged in the wild, a threat actor successfully spoofing a legitimate and trusted server, or forcing authentication to an untrusted one, could cause a host of problems.
"There are a lot of functions that are based on the 'trust' relationship between server and client and spoofing that would let an attacker leverage any of those relationships," he notes.
Parkin adds a distributed workforce broadens the threat surface considerably, which makes it more challenging to properly control access to protocols that shouldn't be seen outside the organization's local environment.
Broomhead points out rather than the attack surface being contained neatly in data centers, distributed workforces have also expanded the attack surface physically and logically.
"Gaining a foothold within the network is easier with this expanded attack surface, harder to eliminate, and provides potential for spillover into the home or personal networks of employees," he says.
From his perspective, maintaining zero trust or least privileged philosophies reduces the dependence on credentials and the impact of credentials being stolen.
Parkin adds that reducing the risk from attacks like this requires minimizing the threat surface, proper internal access controls, and keeping up to date on patches throughout the environment.
"None of them are a perfect defense, but they do serve to reduce the risk," he says.