Vulnerability Disclosure -Domain Takeover @ Microsoft Windows Active Directory

Status: Open

CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H = 7.6( High Severity)

Impacted Component: Active Directory Domain

Vulnerability Description: It is possible by local administrator user (for instance from client Win10 machine) to add/update users within the domain it is joined to (Domain Controller created in Win Server 2022).

Knowing the fact, a widely made mistake of admin credential reuse across all systems of domain network, it becomes very easy to compromise the domain admin without even knowing the password actually.

Impact rational: Full access of Domain controller, where existing user’s password can be changed, new users can be added, existing users can be removed etc. Also audit trail would show different unexpected information after the operation.

Exploitability rational: Conventionally only domain controller admin would be allowed to perform such privilege operations, however, due to reuse of the same username-Password NTLM hash, it is allowed for any system’s local admin to perform such privilege operations.

Many times exploiting any service if one gets admin cmd (even without guessing credentials), this attack would be possible. e.g. Over VNC someone connects to Win10, from cmd executes the above mentioned commands and gains domain access. OR exploiting any vulnerable desktop app gains local admin access and runs this command which eventually gains domain access.

Test Environment Configuration:

- (Win Server 2022) Domain Controller Admin user name: administrator with password Qwerty@123

- (Win 10) Local Admin user name: administrator with password Qwerty@123

- Win10 is added to domain network created by Win Server 2022

Steps To Reproduce & Supportive evidence:

1. From Win10 run elevated cmd via local administrator user
2. net user newuser Qwerty@123 /domain /add
3. Above command with return success and the user would be added to the domain. Or similar way, update password for any existing user.

Command Executed As Local Admin In DC Space

SID of Both Local and Domain Admin Users

Recommendation:

Knowing that for ease of remote troubleshooting/policy updation, IT administrators make such common mistakes of credential reuse, hence local admin of any other system should never be allowed to make changes in domain objects.

Credentials reuse is the primary reason why this attack happens, hence while deploying Automated Windows OS image one should be very cautious to avoid reuse. Disabling local default admin might not help as it can be re-enabled.