02. 01. 2023 Beatrice Dall'Omo Red Team, SEC4U

Focus on the noPac Attack

In December 2021 Microsoft revealed two vulnerabilities concerning an Active Directory Domain Services privilege elevation, classified as CVE-2021-42278 and CVE-2021-42287. By combining the two exploits in the so-called noPac attack, a malicious actor could perform a privilege escalation by impersonating the Domain Administrator after starting out as a standard user. This would lead to a complete domain compromise. The vulnerability critically impacts any systems that have Microsoft Windows Active Directory installed.

CVE-2021-42278 is a Security Account Manager (SAM) spoofing security bypass vulnerability, while CVE-2021-42287 is a privilege escalation vulnerability associated with the Kerberos Privilege Attribute Certificate (PAC) in Active Directory Domain Services. The following paragraphs elaborate on the two vulnerabilities to better understand the noPac attack.

CVE-2021-42278

Microsoft disclosed this vulnerability on November 9th, 2021, and it results from the invalid formatting of a computer name. In Active Directory environments, computer account names should always end with the “$” symbol. Users can see and manually edit these names in the attribute “sAMAccountName” using the ADSI Edit tool as the figure below shows. For privacy reasons we have withheld some information.

An adversary may rename this value to a Domain Controller account omitting the “$” symbol at the end, which is a key step in the exploitation chain of the noPac vulnerability.

CVE-2021-42287

Microsoft disclosed this vulnerability on the same day as the previous one. However, this one lies in the Kerberos Key Distribution Center (KDC) that is responsible for the processing of Kerberos ticket requests. It consists of a security bypass vulnerability that affects the Kerberos PAC and allows potential attackers to impersonate Domain Controllers. A compromised domain user account could cause the creation of a service access token with higher privileges by querying the Ticket Granting Server (TGS).

The Kerberos PAC is an extension to Kerberos tickets that contains useful information about a user’s privileges. A Domain Controller adds the Kerberos PAC to tickets when a user authenticates within an Active Directory Domain.  When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and used to determine their level of privileges without querying the Domain Controller for that information.

How the Attack Works

The exploit of the noPac flaw was first discovered by a GitHub user named Ridter and then confirmed by multiple researchers. 

The noPac attack is performed by chain exploiting the two vulnerabilities. The first one allows an attacker to obtain a compromised domain user account, while the second one makes use of privilege escalation associated with the Kerberos PAC within Active Directory Domain Services. Moreover, in order to carry out the attack, a pair of valid credentials is needed. 

By default, every authenticated user can add up to ten computers to the Domain. The following steps explain how to perform this attack.

  1. Create a new account in Active Directory with a random name and then rename it to one of the Domain Controllers without the trailing “$” symbol.
  2. Request a Kerberos ticket for the created account. Once the ticket is granted, change the name of the account created back to its original name (i.e., the random name chosen in the first step).
  3. Use the ticket to request an access token from the TGS for a specific service. Because of the absence of an account with that name, the TGS chooses the closest match and appends a “$” symbol. In this way, access to the service is granted with Domain Controller privileges.  

Example of a Successful Exploit Attempt

We tried out this attack during a VAPT (Vulnerability Assessment Penetration Test) activity on a customer’s network perimeter. We employed the noPac.py Python tool which is available for free from GitHub

Following the documentation provided, we were able both to impersonate the administrator by getting a Kerberos ticket with administrator privileges (Figure 1), and enter into a semi-interactive shell of the target Active Directory (Figure 2). For privacy reasons we have withheld some information.

Figure 1: Getting a Kerberos Ticket with administrator privileges
Figure 2: Access to the remote shell of the AD machine

Conclusion

The noPac attack is a low-level exploit that can in a few seconds compromise the entire Active Directory environment of a company. In order to mitigate this risk, organizations should apply the latest patches provided by Microsoft to Domain Controllers. Although patching a Domain Controller is not trivial, if even a single one of them remains unpatched, the whole Domain is still vulnerable.

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find security issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.

Beatrice Dall'Omo

Beatrice Dall'Omo

Red Team & Offensive Security Specialist | Cybersecurity Team | Würth Phoenix

Author

Beatrice Dall'Omo

Red Team & Offensive Security Specialist | Cybersecurity Team | Würth Phoenix

Latest posts by Beatrice Dall'Omo

16. 07. 2024 Blue Team, Red Team, SEC4U
Automate Business Processes with APIs: python-gvm
16. 11. 2023 Red Team, SEC4U
Don’t Do Without EPSS: Vulnerability Prioritization
13. 06. 2023 Red Team, SEC4U
What We Know about the MOVEit Transfer 0-day
17. 03. 2023 Red Team, SEC4U
How to Set Up an Effective Phishing Campaign
See All

Related Content

Tags: , ,

24. 05. 2024 SOCnews

SOC News | May 24 – Patch This Veeam Critical Vulnerability Now

On May 21, Veeam published details about four different vulnerabilities detected in their product Veeam Backup Enterprise Manager (VBEM). One of them is critical and allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface Read More
26. 04. 2024 SOCnews

SOC News | Apr 26 – ArcaneDoor: A New Espionage Campaign

Cisco Talos identified a previously unknown state-sponsored actor behind ArcaneDoor, a sophisticated cyber espionage campaign targeting the perimeter network devices of several vendors. This actor is now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. The Read More
28. 03. 2024 SOCnews

SOC News | Mar 28 – New Vulnerabilities Added to the KEV Catalog

On March 25, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The catalog is updated regularly and contains those vulnerabilities most likely to be used in attacks. Organizations should monitor Read More
11. 03. 2024 SOCnews

SOC News | Mar 11 – JetBrains TeamCity Authentication Bypass Vulnerabilities

On March 4, 2024, JetBrains released TeamCity version 2023.11.4, which patches two authentication bypass vulnerabilities in the web component of TeamCity. These vulnerabilities were discovered in February by Rapid7’s vulnerability research team and allow a remote unauthenticated attacker to perform Read More
16. 11. 2023 Red Team, SEC4U

Don’t Do Without EPSS: Vulnerability Prioritization

Image from https://www.first.org/epss/ During a Vulnerability Remediation process, understanding which vulnerabilities pose a real and significant risk for an organization is not so obvious, and most of the time it involves several different aspects. It takes into consideration several factors Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive