Description

MS14-068 is a Windows vulnerability in the Key Distribution Center (KDC) service. It allows an authenticated user to insert an arbitrary PAC (a structure that represent all user rights) in its Kerberos ticket (the TGT).

> https://technet.microsoft.com/library/security/ms14-068.aspx

In Windows domains, it permits privilege escalation (usually standard user to domain/enterprise admin)

Technical

The vulnerability is in the Key Distribution Center (KDC - kdcsvc.dll) of domain controllers. An user can obtain tickets by presenting a Kerberos TGT with an altered PAC.
Normally the KDC service detects a PAC alteration by verifying its signature (each KDC knows the secret symmetric key to check it)

The vulnerability: KDC service allows algorithms without keys (like MD4, MD5, SHA1 or CRC32) to be used. It means that any user can forge a PAC without knowing any secret key, and ask the KDC to include it in a ticket.

Workflow

1. (AS-REQ) User authenticates to a KDC, asking a TGT without a PAC.
2. (PAC TIME) User creates a PAC with arbitrary data and seal it with an algorithm without keys (here, MD5).
3. (TGS-REQ) From its TGT, user asks a TGS for service krbtgt (TGT-like) with its fake PAC included.
4. (TGS-REQ) From its TGS, user asks another TGS for service krbtgt (TGT-like) - if vulnerable, fake PAC will be really signed by KDC here!
5. (KRB-CRED) From the final TGS, ticket is converted as KRB-CRED structure (to be saved on disk or injected in LSA)

Step 4. seems to be optional, but is necessary to use a TGT with a PAC well signed with a domain controller not vulnerable (load balancing).

Arguments

Standard

• /domain - the fully qualified domain name of the target (ex: lab.local)
• /user - the username you want to use as authenticated user (any account allowed to logon is OK, ex: utilisateur)

Then you can choose between:

• /password - the password of the user’s account
• /key - the derived key of the user’s account, it can be RC4_HMAC_NT (NTLM), AES128_CTS_HMAC_SHA1_96 or AES256_CTS_HMAC_SHA1_96

By default, /key and /password will be used with RC4_HMAC_NT algorithm, but you can specify /aes128 (AES128_CTS_HMAC_SHA1_96) or /aes256 (AES256_CTS_HMAC_SHA1_96)

Final usage is between:

• /ticket - optional - file name used to write ticket(s) on the disk - default is: tgt.kirbi
• /ptt - optional - Pass The Ticket: no ticket will be written, first good ticket is injected in LSA (NT6 is needed)

Automatically recovered

If not provided, these arguments can be recovered remotely by RPC/CLDAP, in this case: /password is mandatory and /key is not permitted.

• /sid - optional - the domain’s SID (ex: S-1-5-21-1644491937-412668190-839522115)
• /rid - optional - the user’s relative ID (ex: 1105)
• /kdc - optional - the DC you want to use for all queries (ex: dc.lab.local), if not provided, the program will select one automatically, then:
  • test all KDC in the domain
  • when saving ticket in file: save each successful tickets in separate files, named like %dcshortname%.%filename%.kirbi
  • when Pass The Ticket: inject the first successful ticket in LSA then break the loop
  • print a little repport at the end with the number of vulnerable servers vs the total.

Tuning

• /groups - optional - relatives id of groups which the user will belong (first is primary group, comma separator) - default is: 513,512,520,518,519 for the well-known Administrator’s groups.
• /sids - optional - externals SID (externals to the domain) to add.
  • an interesting SID is S-1-5-21-root forest-519 (Enterprise Admins)

Errors

• KDC_ERR_WRONG_REALM (68): bad domain name
• KDC_ERR_PREAUTH_FAILED (24): bad password or key
• KDC_ERR_ETYPE_NOSUPP (14): you try to make AES on 2003 domain functional level (or algorithm is not allowed)
• KDC_ERR_SUMTYPE_NOSUPP (15):
  • NT6 target: KB3011780 patch or > is installed
• KRB_ERR_GENERIC (60):
  • NT5 target: KB3011780 patch or > is installed
  • NT6 target: 2012 server or > is not vulnerable to this program

Others errors:

• ERROR stringToKey ; LocacteCSystem: 80080341: you try to use AES on a NT5 client (RC4 support only), please use a NT6 machine.
• ERROR [...] ; LsaCallAuthenticationPackage KerbSubmitTicketMessage : c000000d: you try to make Pass The Ticket on a NT5 client. Like with mimikatz, it’s a NT6 only feature.

Remarks

• All DC without KB3011780 patch or >, are vulnerable (like all Windows 2000)