Zerologon, a big bad bug of last week, is a flaw that lets you bypass authentication with a zero-length password. It’s a cryptographic hole in the Netlogon protocol used for user and machine authentication on domain-based networks.
Researchers at Secura, a Dutch cybersecurity company, dug into the vulnerability and figured out a bunch of holes in the unpatched version, and how to exploit them.
Here is a simplified version of how to trick Netlogon, via Naked Security at Sophos.
Roughly once in every 256 times, the server would randomly concoct a session key for which the correctly-encrypted version of their all-zero
…would itself be all zeros.
In other words, by submitting a
ClientChallengeof 0000000000000000 and then blindly also submitting a Netlogon Credential Computation (see above) of 0000000000000000, they’d get the credential computation correct by chance 1/256 of the time, even though they had no idea what the right
SessionKeythe value should be because they had no idea what secret password to use.
Simply put, 1/256 of the time, they ended up in a situation where they could always produce correctly-encrypted data to transmit to the server, without having a clue what the password or session key was, as long as they only ever needed to encrypt zeros!
From there, by changing the Active Directory password of the domain controller itself, they were able to extract all user hashes from the domain, including domain administrator hashes that could be used to log into the domain controller and update the computer password stored in the domain controller’s local registry.
In other words, you are completely screwed.
Luckily, Microsoft already has released its patch, called CVE-2020-1472 in August 2020, though didn’t release many details other than the following one-liner.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
If you haven’t done so, it’s time to install the update to have your Windows Servers patched up.
Secura also released a test tool on Github that can tell you whether a domain controller is vulnerable or not.
/Update on Sept. 25, 2020/
There is also another PowerShell script that you can use to validate if your domain controllers have been patched up for ZeroLogon.