The Zerologon Vulnerability — How to Test it… Safely!
by Süleyman Özarslan, PhD
On the 11th of August 2020, Microsoft released a security update, CVE-2020–1472 | Netlogon Elevation of Privilege Vulnerability, for a critical vulnerability within the Netlogon Remote Protocol (MS-NRPC)in Windows Server operating systems, namely Windows Server 2008 R2, 2012, 2012 R2, 2016, and 2019. Since the exploit payload includes a string of zeros, the vulnerability is also known as “Zerologon”.
An attacker who successfully exploits the vulnerability could elevate their privileges to domain administrator and compromise the domain controller. Accordingly, this vulnerability has a “10.0 CRITICAL” CVSS 3.0 base score. Note that only 3% of vulnerabilities last year had this score. Many vendors and organizations released announcements and directives about the vulnerability, including the US Cybersecurity and Infrastructure Security Agency (CISA)and CERT-EU.
We recently ran an event on #ProactiveSOCs with experts from Gartner, IBM, and many more! If you’d like to learn more, check out this link!
How to test CVE-2020–1472 on Windows?
On the 11th of September 2020, Secura released a testing toolfor the vulnerability. This tool is a Python script that attempts to perform the Netlogon authentication. It does not perform any Netlogon operation, including changing the Domain Administrator password, so it is safe to test the vulnerability. The testing script utilizes the Impacket library, but enterprise environments may prevent installing Python or Impacket for security concerns.
Accordingly, we built a packed version of the testing script using auto-py-to-exe that gathers all Python dependencies. We created a directory packed with all dependencies to run the testing script without installing Python.
We also wrote a PowerShell script to automatically extract and execute the zerologon_tester.exe file for the primary Domain Controller. This script uses:
Domain.GetCurrentDomainmethod of PowerShell to get the domain object for the current user
Domain.PdcRoleOwner.Nameproperty to get the name of the primary domain controller (PDC) for this domain.
Domain.PdcRoleOwner.IPAddressproperty to get the IP address of the PDC for this domain.
Thanks to the above codes, we don’t need to give DC a name or IP address for this script.
- Copy both zerologon_tester.zip and zerologon_tester.ps1 files from Picus Labs’ GitHub page  into a computer in the domain controlled by the target Domain Controller.
- Run the zerologon_tester.ps1 script on the PowerShell console:
Or run the script on the command shell:
As a note, some antivirus engines may detect all exe files generated by Pyinstaller as a Trojan (10/59 detection rate by lesser-known antivirus products, as of today).
If you want to test your network for this vulnerability on a Windows system without installing Python and its dependencies, you can use the above tool, which is based on Secura’s Python script.
Picus users have already tested the effectiveness of their security controls against the CVE-2020–1472 “Zerologon” Vulnerability with the following threat in the Picus Threat Library:
474540 Exploitation of Zerologon Vulnerability using Netlogon RPC
 “[No title].” [Online]. Available: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472. [Accessed: 21-Sep-2020]
 openspecs-office, “[MS-NRPC]: Netlogon Remote Protocol.” [Online]. Available: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f. [Accessed: 21-Sep-2020]
 “NVD — CVE-2020–1472.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2020-1472. [Accessed: 21-Sep-2020]
 “Emergency Directive 20–04.” [Online]. Available: https://cyber.dhs.gov/ed/20-04/. [Accessed: 21-Sep-2020]
 “[No title].” [Online]. Available: https://media.cert.europa.eu/static/SecurityAdvisories/2020/CERT-EU-SA2020-046.pdf. [Accessed: 21-Sep-2020]
 SecuraBV, “SecuraBV/CVE-2020–1472.” [Online]. Available: https://github.com/SecuraBV/CVE-2020-1472. [Accessed: 21-Sep-2020]
 picussecurity, “picussecurity/picuslabs.” [Online]. Available: https://github.com/picussecurity/picuslabs. [Accessed: 21-Sep-2020]
Originally published at https://www.picussecurity.com.