Menu
Critical design flaw in Active Directory could allow for a password change

Critical design flaw in Active Directory could allow for a password change

Microsoft contends the general issue has been long-known, but Israel-based Aorato has developed a working attack

Microsoft's widely used software for brokering network access has a critical design flaw, an Israeli security firm said, but Microsoft contends the issue has been long-known and defenses are in place.

Aorato used public information to craft a proof-of-concept attack that shows how an attacker can change a person's network password, potentially allowing access to other sensitive systems, said Tal Be'ery, its vice president of research.

"The dire consequences we are discussing -- that an attacker can change the password -- was definitely not known," said Be'ery in a phone interview Tuesday.

About 95 percent of Fortune 500 companies use Active Directory, making the problem "highly sensitive," Aorato wrote on its blog.

The company's research focuses on NTLM, an authentication protocol that Microsoft has been trying to phase out for years. All Windows versions older than Windows XP SP3 used NTLM as a default, and newer Windows versions are compatible with it in combination with its successor, Kerberos.

NTLM is vulnerable to a so-called "pass-the-hash" attack in which an attacker obtains the login credentials for a computer and can use the mathematical representation of those credentials -- called a hash -- to access other services or computers.

It's one of the most popular kinds of attacks since a computer that may not be valuable for the data it stores on its own could enable access to a more sensitive system. U.S.-based retailer Target fell victim to this kind of lateral movement that led to a data breach after hackers gained access to its network via a supplier.

The pass-the-hash attack is a long-known weakness around single sign-on systems (SSO) since the hash must be stored somewhere on a system for some amount of time. Other operating systems that accommodate SSO are also affected by the threat.

Disabling SSO would solve the problem, but it would also mean that users on a network would have to repeatedly enter their password in order to access other systems, which is inconvenient.

"It's a trade-off," Be'ery said.

Aorato contends that an attacker can snatch an NTLM hash using publicly available penetration testing tools such as WCE or Mimikatz. It built a proof-of-concept tool that shows how attackers can then change a user's password to an arbitrary one and access other services such as RDP (remote desktop protocol) or the Outlook web application.

Although some enterprises try to limit the use of the NTLM protocol in favor of Kerberos, an attacker can force a client to authenticate to Active Directory using a weaker encryption protocol, RC4-HMAC, that uses the NTLM hash. That NTLM hash is then accepted by Kerberos, which issues a fresh authentication ticket.

Microsoft implemented Kerberos in order to move away from some of NTLM's security issues, but Kerberos works with RC4-HMAC to allow for compatibility with older systems.

The company couldn't immediately be reached for comment, but it acknowledged weaknesses in NTLM in a 2012 technical paper.

In May, Microsoft released a patch which contained improvements that make it harder to steal NTLM hashes. The company has also suggested that organizations use smart cards or disable Kerberos RC4-HMAC support on all domain controllers, but it is possible that could break some functionality.

Be'ery said quirks in Active Directory can cause it to downgrade to NTLM, which makes it hard for organizations to shut it off.

"It's not really a practical solution," he said.

For example, if a person is trying to access a network resource using its IP address instead of its name, Active Directory will use NTLM even if the organization is on the latest version of Windows, Be'ery said.

Aorato contends that more could be done around logging events that might indicate malicious behavior, such as specifying the encryption algorithm used for a password change.

"Although Windows had created a relatively verbose Kerberos event logging system, it fails to show the pertinent attack information," the company wrote. "As a result, the logs lack indication of something fishy going on."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityAccess control and authenticationAorato

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments