Security Advisory: Targeting AD FS With External Brute-Force Attacks

Posted by Yaron Zinar on Jul 9, 2019 10:06:47 AM

On July 2019 Patch Tuesday, Microsoft released a patch for CVE-2019-1126, an important vulnerability discovered by Preempt Research Labs. The vulnerability discovered leads to security issues that create a wide scale denial-of-service against exposed organizations, and potentially, identity compromise.

While Microsoft only released one patch, we believe there are two vulnerabilities that allow attackers to remotely launch brute-force attacks on AD FS servers from the outside of the network. Attackers can bypass the Extranet Lockout Protection security feature and also bypass the Microsoft AD lockout policy(!) in certain scenarios. The implications vary between account compromise (due to weak passwords) or a massive denial-of-service to all domain accounts. All AD FS versions are vulnerable.

Read the press release

Read More

Topics: password brute force, Security Advisory, ADFS

How to Easily Bypass EPA to Compromise any Web Server that Supports Windows Integrated Authentication

Posted by Yaron Zinar on Jun 11, 2019 9:52:37 AM

As announced in our recent security advisory, Preempt researchers discovered how to bypass the Enhanced Protection for Authentication (EPA) mechanism to successfully launch NTLM relay attacks on any server that supports WIA (Windows Integrated Authentication) over TLS.

Read More

Topics: NTLM, Security Advisory, Microsoft

Drop the MIC - CVE-2019-1040

Posted by Marina Simakov on Jun 11, 2019 9:52:17 AM

As announced in our recent security advisory, Preempt researchers discovered how to bypass the MIC (Message Integrity Code) protection on NTLM authentication and modify any field in the NTLM message flow, including the signing requirement. This bypass allows attackers to relay authentication attempts which have negotiated signing to another server while entirely removing the signing requirement. All servers which do not enforce signing are vulnerable.

Read More

Topics: NTLM, Security Advisory, Microsoft

Your Session Key is My Session Key: How to Retrieve the Session Key for Any Authentication

Posted by Marina Simakov on Jun 11, 2019 9:51:51 AM

As announced in our recent security advisory, Preempt researchers discovered a critical vulnerability which allows attackers to retrieve the session key for any NTLM authentication and establish a signed session against any server. Any domain environment which does not entirely block NTLM traffic is vulnerable.

Read More

Topics: NTLM, Security Advisory, Microsoft

Security Advisory: Critical Vulnerabilities in NTLM Allow Remote Code Execution and Cloud Resources Compromise

Posted by Yaron Zinar on Jun 11, 2019 9:51:20 AM

On June 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1040 and CVE-2019-1019, two vulnerabilities discovered by Preempt researchers. The critical vulnerabilities consist of three logical flaws in NTLM (Microsoft’s proprietary authentication protocol). Preempt researchers were able to bypass all major NTLM protection mechanisms.

Read More

Topics: NTLM, Security Advisory, Microsoft

From Public Key to Exploitation: How We Exploited the Authentication in MS-RDP

Posted by Eyal Karni on Mar 13, 2018 10:05:15 AM

 In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a critical vulnerability that was discovered by Preempt. This vulnerability can be classified as a logical remote code execution (RCE) vulnerability. It resembles a classic relay attack, but with a nice twist: It is related to RSA cryptography (and prime numbers) which makes it quite unique and interesting.

Read More

Topics: Multi-factor Authentication, kerberos, Hacking, Black Hat, Security Advisory, Microsoft, RDP

Security Advisory: Critical Vulnerability in CredSSP Allows Remote Code Execution on Servers Through MS-RDP (Video)

Posted by Yaron Zinar on Mar 13, 2018 10:03:36 AM

In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a vulnerability discovered by Preempt researchers. The vulnerability consists of a logical flaw in Credential Security Support Provider protocol (CredSSP) which is used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials to target servers. The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network. The vulnerability, in many real-world scenarios where victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controller with malicious software. No attacks have been detected in the wild by Preempt.

Read More

Topics: kerberos, Hacking, Threat Detection, Security Advisory, Microsoft, CredSSP

Advisory: Flaw in Azure AD Connect Software Can Allow Stealthy Admins to Gain Full Domain Control

Posted by Roman Blachman on Dec 12, 2017 9:42:26 AM

Authors: Roman Blachman, Yaron Zinar.
We recently reviewed a customer’s network and found that 85%(!) of all users in the network had some unnecessary administrative privilege. The excessive privilege stemmed from an indirect inclusion in a
protected admin group. Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges directly through domain discretionary access control list (DACL) configuration. We refer to these users as stealthy admins.

Read More

Topics: Credential Compromise, Stealthy Admin, Azure AD Connect, Security Advisory, Microsoft

New LDAP & RDP Relay Vulnerabilities in NTLM

Posted by Yaron Zinar on Jul 11, 2017 10:01:54 AM

Over the past few months, the Preempt research team discovered and reported two Microsoft NT LAN Manager (NTLM) vulnerabilities. These vulnerabilities have a common theme around two different protocols handling NTLM improperly. These issues are particularly significant as they can potentially allow an attacker to create new domain administrator accounts even when best-practice controls such as LDAP server signing and RDP restricted admin mode are enabled.

Read More

Topics: Domain Controller, NTLM, Hacking, Threat Detection, Security Advisory, Microsoft