Exploit code for 'Zerologon' bug impacting Windows Netlogon Remote Protocol published on Github

2020-09-16

Researchers have released a proof-of-concept (PoC) exploit for 'Zerologon' Windows vulnerability, which, if left unpatched, could allow an attacker with foothold on the local network to instantly become Domain Admin and enjoy access to an organisation's Active Directory domain controllers.

The PoC exploit for the vulnerability, tracked as , has been published on GitHub by security researcher Dirk-jan Mollenma.

The 'Zerologon' bug was , although the company did not reveal full details of the flaw at the time.

Secura's security expert Tom Tervoort, who is credited for discovering the flaw and reporting it to Microsoft, has now revealing the full impact and execution of the bug.

According to Tervoort, CVE-2020-1472 is an elevation of privilege bug in Netlogon Remote Protocol (MS-NRPC) which is used to authenticate users against domain controllers.

The vulnerability arises due to a flaw in cryptographic algorithm used in the Netlogon authentication process. This flaw lets an attacker to impersonate any computer and run remote procedure calls on their behalf.

To exploit the bug, an attacker must already have a foothold inside a targeted network. From there, they can send a string of zeros in a series of messages using the Netlogon protocol to fill various fields. This enables them to modify the Active Directory stored password of a Domain Controller.

After successfully exploiting the vulnerability, the attackers could run a specially crafted application on a device on the network.

According to Tervoort, the attacker can exploit the bug and gain admin credentials, as long as they are able to establish TCP links with a vulnerable domain controller.

The vulnerability has received the full score of 10 out of 10 on Common Vulnerability Scoring System (CVSS) rating.

Microsoft said last month that it would address the bug in a phased two-part rollout.  These updates will address the vulnerability "by modifying how Netlogon handles the usage of Netlogon secure channels."

Last month, the company released the initial temporary fix for the Zerologon attack.

"Customers who apply the update, or have automatic updates enabled, will be protected," Microsoft said at the time.

The second phase of Windows updates is expected to be available in February next year, and in that update, the enforcement mode for NRP will be turned on by default.

Meanwhile, Secura has published a that admins can use to test if the Domain Controller they use is vulnerable.