On August 11, 2020, Microsoft released a security update for CVE-2020-1472, also known as Zerologon, a critical elevation of privilege flaw in the Netlogon Remote Protocol used by Windows Server 2008 R2, 2012, 2012 R2, 2016, and 2019 [1][2]. The issue stems from cryptographic weaknesses in the Netlogon authentication process, where an attacker can abuse an all zero challenge to spoof a secure channel and bypass authentication. Because the exploit payload relies on a string of zeros, researchers dubbed the bug Zerologon. Successful exploitation lets an attacker quickly set a domain controller computer account password to a known value, which effectively breaks trust and opens the door to full domain compromise.
If an attacker reaches a vulnerable domain controller from the local network, they can elevate privileges to domain administrator within minutes. The vulnerability carries a CVSS 3.0 base score of 10.0 Critical, a rating assigned to only a small fraction of vulnerabilities in a given year [3]. Due to the severity and ease of exploitation, vendors and government agencies issued urgent guidance. CISA and CERT-EU both published directives and alerts to accelerate patching and to push enterprises to verify that domain controllers were protected [4][5]. Microsoft delivered the fix in phases, with an initial update in August 2020 and an enforcement phase that required secure RPC with Netlogon, closing common downgrade paths.
Recommended actions for defenders:
Apply all Microsoft updates for domain controllers and verify that every DC is compliant.
Enable secure RPC for Netlogon and review Microsoft’s enforcement guidance to prevent insecure connections.
Monitor for attempts to reset machine account passwords on domain controllers, unexpected Netlogon activity, and new administrative logons from unusual hosts.
Segment domain controllers, restrict lateral movement paths, and require multifactor authentication for privileged accounts.
Run targeted validation to confirm that detections fire and that incident response playbooks contain activity related to Zerologon style abuse.
By patching promptly and enforcing secure Netlogon behavior, organizations can remove this high impact attack path and reduce the risk of rapid domain takeover.
How to test CVE-2020-1472 on Windows?
On the 11th of September 2020, Secura released a testing tool [6] for the vulnerability. This tool is a Python script that attempts to perform the Netlogon authentication. It does not perform any Netlogon operation, including changing the Domain Administrator password, so it is safe to test the vulnerability. The testing script utilizes the Impacket library, but enterprise environments may prevent installing Python or Impacket for security concerns.
Accordingly, we built a packed version of the testing script using auto-py-to-exe that gathers all Python dependencies. We created a directory packed with all dependencies to run the testing script without installing Python.
We also wrote a PowerShell script to automatically extract and execute the zerologon_tester.exe file for the primary Domain Controller. This script uses:
Domain.GetCurrentDomain method of PowerShell to get the domain object for the current userDomain.PdcRoleOwner.Name property to get the name of the primary domain controller (PDC) for this domain.Domain.PdcRoleOwner.IPAddress property to get the IP address of the PDC for this domain.Thanks to the above codes, we don’t need to give DC a name or IP address for this script.
|
Add-Type -AssemblyName System.IO.Compression.FileSystem |
Test Instructions
|
PS C:\temp>.\zerologon_tester.ps1 |
Or run the script on the command shell:
|
C:\temp>powershell .\zerologon_tester.ps1 |
As a note, some antivirus engines may detect all exe files generated by Pyinstaller as a Trojan (10/59 detection rate by lesser-known antivirus products, as of today).
Conclusion
If you want to test your network for this vulnerability on a Windows system without installing Python and its dependencies, you can use the above tool, which is based on Secura’s Python script.
Picus users have already tested the effectiveness of their security controls against the CVE-2020-1472 “Zerologon” Vulnerability with the following threat in the Picus Threat Library:
474540 Exploitation of Zerologon Vulnerability using Netlogon RPC
References
[1] “[No title].” [Online]. Available: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472. [Accessed: 21-Sep-2020]
[2] openspecs-office, “[MS-NRPC]: Netlogon Remote Protocol.” [Online]. Available: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f. [Accessed: 21-Sep-2020]
[3] “NVD - CVE-2020-1472.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2020-1472. [Accessed: 21-Sep-2020]
[4] “Emergency Directive 20-04.” [Online]. Available: https://cyber.dhs.gov/ed/20-04/. [Accessed: 21-Sep-2020]
[5] “[No title].” [Online]. Available: https://media.cert.europa.eu/static/SecurityAdvisories/2020/CERT-EU-SA2020-046.pdf. [Accessed: 21-Sep-2020]
[6] SecuraBV, “SecuraBV/CVE-2020-1472.” [Online]. Available: https://github.com/SecuraBV/CVE-2020-1472. [Accessed: 21-Sep-2020]
[7] picussecurity, “picussecurity/picuslabs.” [Online]. Available: https://github.com/picussecurity/picuslabs. [Accessed: 21-Sep-2020]