Very High
CVE-2022–26923 aka Certifried
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)Very High
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Active Directory Domain Services Elevation of Privilege Vulnerability.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This vulnerability enables a low-privileged user to escalate privileges in a default Active Directory environment with the Active Directory Certificate Services (AD CS) installed. AD CS servers is Microsoft’s public key infrastructure (PKI) implementation, which enables the issuing of certificates. Since AD CS is coupled with Active Directory, certificates can be used to authenticate against the KDC via the PKINIT Kerberos extension. The identity of a domain computer account is provided by the DNS name in the certificate.
The owner of a computer account has write permission on the computer dNSHostName
property. As a result, it is possible to set it to any existing DNS host name in the domain, which will be the DNS host name in the issued certificate. This certificate can then be used to authenticate against the KDC.
In order to achieve privilege escalation, the DNS host name is set to a valid Domain Controller (DC) host name, resulting in a successful authentication as the DC account. Being able to authenticate as the DC account gives enough privileges to impersonate a Domain Administrator.
Here is a common exploitation workflow:
- Using a low-privileged domain account, create a new computer account in the Active Directory. Note that any domain user is allowed to do so, as long as the user’s
ms-DS-MachineAccountQuota
property is greater than 0 (set to 10 by default).
- Set the newly created computer
dNSHostName
attribute to match the DC DNS host name.
- Request a certificate for this computer.
- Authenticate as the DC account with this certificate.
- Request a Service Ticket (TGS) impersonating a Domain Administrator account.
This attack has been fully automated in a Metasploit module (still a WIP as time of writing). The resulting TGS can be used by any Metasploit module and external tools to impersonate a Domain Administrator.
Microsoft released a patch on May 10, 2022.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Vendors
- Microsoft
Products
- Windows 10 Version 1809,
- Windows Server 2019,
- Windows Server 2019 (Server Core installation),
- Windows 10 Version 1909,
- Windows 10 Version 21H1,
- Windows Server 2022,
- Windows 10 Version 20H2,
- Windows Server version 20H2,
- Windows 11 version 21H2,
- Windows 10 Version 21H2,
- Windows 10 Version 1507,
- Windows 10 Version 1607,
- Windows Server 2016,
- Windows Server 2016 (Server Core installation),
- Windows 8.1,
- Windows Server 2012 R2,
- Windows Server 2012 R2 (Server Core installation)
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: