Critical design flaw in Microsoft’s Active Directory could allow password change
By Jeremy Kirk
Microsoft’s widely used software for brokering network access has a critical design flaw, an Israeli security firm said, but Microsoft contends the issue has been long-known and defenses are in place.
Aorato used public information to craft a proof-of-concept attack that shows how an attacker can change a person’s network password, potentially allowing access to other sensitive systems, said Tal Be’ery, its vice president of research.
“The dire consequences we are discussing—that an attacker can change the password—was definitely not known,” said Be’ery in a phone interview Tuesday.
About 95 percent of Fortune 500 companies use Active Directory, making the problem “highly sensitive,” Aorato wrote on its blog.
The company’s research focuses on NTLM, an authentication protocol that Microsoft has been trying to phase out for years. All Windows versions older than Windows XP SP3 used NTLM as a default, and newer Windows versions are compatible with it in combination with its successor, Kerberos.
NTLM is vulnerable to a so-called “pass-the-hash” attack in which an attacker obtains the login credentials for a computer and can use the mathematical representation of those credentials—called a hash—to access other services or computers.
It’s one of the most popular kinds of attacks since a computer that may not be valuable for the data it stores on its own could enable access to a more sensitive system. U.S.-based retailer Target fell victim to this kind of lateral movement that led to a data breach after hackers gained access to its network via a supplier.
The pass-the-hash attack is a long-known weakness around single sign-on systems (SSO) since the hash must be stored somewhere on a system for some amount of time. Other operating systems that accommodate SSO are also affected by the threat.
Disabling SSO would solve the problem, but it would also mean that users on a network would have to repeatedly enter their password in order to access other systems, which is inconvenient.
“It’s a trade-off,” Be’ery said.
Aorato contends that an attacker can snatch an NTLM hash using publicly available penetration testing tools such as WCE or Mimikatz. It built a proof-of-concept tool that shows how attackers can then change a user’s password to an arbitrary one and access other services such as RDP (remote desktop protocol) or the Outlook web application.
Although some enterprises try to limit the use of the NTLM protocol in favor of Kerberos, an attacker can force a client to authenticate to Active Directory using a weaker encryption protocol, RC4-HMAC, that uses the NTLM hash. That NTLM hash is then accepted by Kerberos, which issues a fresh authentication ticket.
Microsoft implemented Kerberos in order to move away from some of NTLM’s security issues, but Kerberos works with RC4-HMAC to allow for compatibility with older systems.
The company couldn’t immediately be reached for comment, but it acknowledged weaknesses in NTLM in a 2012 technical paper.
In May, Microsoft released a patch which contained improvements that make it harder to steal NTLM hashes. The company has also suggested that organizations use smart cards or disable Kerberos RC4-HMAC support on all domain controllers, but it is possible that could break some functionality.
Be’ery said quirks in Active Directory can cause it to downgrade to NTLM, which makes it hard for organizations to shut it off.
“It’s not really a practical solution,” he said.
For example, if a person is trying to access a network resource using its IP address instead of its name, Active Directory will use NTLM even if the organization is on the latest version of Windows, Be’ery said.
Aorato contends that more could be done around logging events that might indicate malicious behavior, such as specifying the encryption algorithm used for a password change.
“Although Windows had created a relatively verbose Kerberos event logging system, it fails to show the pertinent attack information,” the company wrote. “As a result, the logs lack indication of something fishy going on.”