Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)

🗓️ 22 Sep 2016 00:00:00Reported by Nabeel AhmedType

Microsoft Windows Kerberos security bypass vulnerability. Access gained without previous knowledge of password or any other information

Reporter	Title	Published	Views	Family All 26
0day.today	Kerberos in Microsoft Windows - Security Feature Bypass (MS16-101)	22 Sep 201600:00	–	zdt
Circl	CVE-2016-3237	22 Sep 201600:00	–	circl
CNVD	Microsoft Kerberos Elevation of Privilege Vulnerability	10 Aug 201600:00	–	cnvd
CVE	CVE-2016-3237	9 Aug 201621:00	–	cve
Cvelist	CVE-2016-3237	9 Aug 201621:00	–	cvelist
exploitpack	Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)	22 Sep 201600:00	–	exploitpack
Microsoft KB	MS16-101: Description of the security update for Windows authentication methods: August 9, 2016	9 Aug 201607:00	–	mskb
Microsoft KB	MS16-101: Security update for Windows authentication methods: August 9, 2016	9 Aug 201600:00	–	mskb
Microsoft KB	October 2016 security monthly quality rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1	11 Oct 201607:00	–	mskb
Microsoft KB	October 2016 security monthly quality rollup for Windows 8.1 and Windows Server 2012 R2	11 Oct 201607:00	–	mskb

# Exploit Title: Kerberos Security Feature Bypass Vulnerability (Kerberos to NTLM Fallback)
# Date: 22-09-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64) and Windows 10 x64
# CVE : CVE-2016-3237
# Category: Local Exploits & Privilege Escalation

SPECIAL CONFIG: Standard Domain Member configuration with password caching enabled (default), BitLocker enabled without PIN or USB key.
REPRODUCE:
	Prerequisites:
			- Standard Windows 7/10 Fully patched (up until 08/08/2016) and member of an existing domain.
			- BitLocker enabled without PIN or USB key.
			- Password Caching enabled
			- Victim has cached credentials stored on the system from previous logon.

This vulnerability has a similar attack path as MS15-122 and MS16-014 but bypasses the published remediation.

STEP 1: Obtain physical access to a desktop or laptop with the above configuration.
STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
STEP 4: Create User with similar name as the previously logged in user. (E.g domain\USER1), and force user to change password upon next login.
STEP 5: Login on the target machine and proceed to the change login screen.
STEP 6: Disable the following (Inbound) Firewall Rules:
	 - Kerberos Key Distribution Center - PCR (TCP and UDP)
	 - Kerberos Key Distribution Center (TCP and UDP)
STEP 7: Change the password. (Changing Password screen will appear to hang)
STEP 8: Wait 1 minute before re-enabling the firewall rules defined in STEP 6
STEP 9: Enable firewall rules again and after a few seconds the password should be successfully changed.
STEP 10: Message "Your Password has been changed" is displayed, followed by the following error message "The trust relationship between this workstation and the primary domain failed."
STEP 11: Disconnect Target system's network connection.
STEP 12: Login with the new changed password.

IMPACT: Access gained to the information stored to the target system without previous knowledge of password or any other information. This could also be used to elevate your privileges to local Administrator.

Reference: Video PoC/Demo can be found here: https://www.youtube.com/watch?v=4vbmBrKRZGA
Reference: Vulnerability discovered by Nabeel Ahmed (@NabeelAhmedBE) of Dimension Data (https://www.dimensiondata.com)

22 Sep 2016 00:00Current

7.8High risk

Vulners AI Score7.8

CVSS 26.8

CVSS 37.5

EPSS0.24935