Diving into the announcement

Challenge:

Vulnerabilities are patched in software all the time, and for the most serious ones, researchers work to build proof-of-concept (POC) exploits for them. As defenders, we need to continuously monitor when new public exploits drop, figure out how they work, and ensure we’re protected against them. Recently, Microsoft announced CVE-2020-1472. Your task is to locate a public exploit for it and identify the vulnerable function that the POCs call. The flag will be the function’s name.

Solution:

CVE-2020-1472, a.k.a “ZeroLogon”, was given a CVSS score of 10 and allows an attacker to gain Domain Admin rights on a vulnerable domain controller using the Netlogon Remote Protocol.

The accepted flag was, NetrServerPasswordSet2 but I would argue that the accepted answer should have been ComputeNetlogonCredential. The whitepaper published by Secura describes how the vulnerability is due to the improper implementation of the ComputeNetlogonCredential function. Specifically, the whitepaper describes two versions of the function, an older 2DES scheme and newer AES scheme, and of the newer function, “…it is precisely this newer scheme in which I found the vulnerability”, whereas the call to the NetrServerPasswordSet2 function is performed after the initial exploit.

Published:

Updated:

Leave a comment