How Does Zerologon Work?
Zerologon arises from a series of errors in the implementation of the netlogon protocol. The first of these errors arises from the misuse of cryptography.
In netlogon, Microsoft used a custom implementation of cipher feedback (CFB) mode with AES that enabled data to be encrypted one byte at a time (instead of in the standard 16 byte blocks). Additionally, the initialization vector (IV) used in encryption, which should be random and unique for all sessions, was hardcoded to a value of zero.
In combination, these two errors made it possible for an attacker to falsely authenticate to netlogon without knowing the domain password. With 1/256 probability, attempting to encrypt a value of all zeros will cause the encryption to get “stuck”, resulting in a ciphertext of all zeros as well. Since the final step of authentication is encrypting a user-selected challenge with the shared session key, an attacker can successfully do so by using an all zero challenge even without knowledge of the key.
Beyond allowing false authentication to the service, this issue created an additional problem. Netlogon includes a function that allows the password of the server to be reset. Due to a failure to check key values in this function call, an attacker can send it a value of all zeros, which “decrypts” to all zeros as well. This causes the server’s password to be reset to an empty password.
After resetting the server password, an attacker can’t log directly into the server (though this is possible using a pass-the-hash attack). However, they can call functions that dump all of the password hashes contained within a vulnerable domain controller. These passwords can then be cracked offline, and, due to the use of weak and reused passwords, an attacker is likely to gain access to at least one user’s account.
The Importance of Implementing Least Privilege
The worst-case scenario with Zerologon is that an attacker uses a pass-the-hash attack to gain Domain Administrator access to the network. This provides the attacker with full control over the network. However, pass-the-hash attacks are detectable, and, hopefully, monitored and blocked within a network.
The other potential threat, the compromise of a user account, can be nearly as damaging if that user has excessive permissions within the network. An attacker with access to a user’s account can access any system or data that the user can access. If they can access anything and everything, then the fact that the attacker could not gain Domain Administrator access is of little comfort.
Minimizing the potential impacts of Zerologon and similar attacks requires implementing least privilege within an organization’s network. All users should only have the permissions required to perform their roles. This way, even if a user’s account is compromised, the potential damage to the organization and its customers is minimized.