Researchers from Core Security were able to exploit a security vulnerability in Windows Group Policy — MS15-011 — that was patched in February by Microsoft.
Nicolas Economou, a senior exploit writer at Core Security, explained in a blog entry last week that Microsoft had in fact fixed the bug, which could allow for remote code execution, ultimately giving an attacker total control of an affected system if a user with a domain-configured system were to connect to an attacker-controlled network. However, Microsoft’s bulletin was not enough to resolve the issue on its own. In order to fully resolve the problem, admins would have also needed to properly configure the hardened universal naming convention paths.
The vulnerability essentially put user machines at risk for man-in-the-middle attacks when connecting to a domain, because it assumed the domain controller and updated group policies were benevolent. The fix made it so that client-side machines would authenticate the identity of the domain controller with server messaging block (SMB) signing. The fix was not thorough, and Economou was able to bypass Microsoft’s mitigation with a combination of three attacks.
Economou explained that in order to convince a Windows machine to accept a spoofed Group Policy Object (GPO) and modify the registry keys as a result, it needed to appear as if the GPO were coming from a Windows service. He managed this by finalizing the attack with code running in the target as “system” user.
“One file downloaded in the GPO update is “GptTmpl.inf”, it contains a section called “[Registry Values]” where any Windows registry key can be added/changed/deleted,” Economou explained.
After building a default gateway and address resolution protocol spoofer, a port forwarder rule manager, and a fake SMB server, he was able to deliver the exploit successfully and take complete control of the affected device. Simply put, he delivered an ARP (Address Resolution Protocol) spoofing attack, which would let him position an attack machine as a man-in-the-middle between his target and the default gateway, linking the target machine to a domain controller on a different network. Due to a lack of checks on the SMB server, the attacker could send along a malicious GPO to the target machine.
In his proof-of-concept, Economou had two computers on the same network and a controller domain on a different network separated by a default gateway. One computer on the first network is the target and the other is the attacker. Each is directly connected to the default gateway, which is directly connected to the controller domain. The attack machine then spoofs the ARP for the target machine. Once that succeeds, the attack machine is now in a man-in-the-middle position and all the traffic moving from the target machine to the default gateway is intercepted by the attack machine.
When the target requests new GPOs from the domain controller, the attack machine intercepts that request and redirects it to a fake SMB server, which passes the malicious GPO package back to the target machine. At this point, the target machine is owned.