CVE-2020-1472 | NetLogonÌØȨÌáÉýÎó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-09-15

 

0x00 Îó²î¸ÅÊö

CVE   ID

CVE-2020-1472

ʱ    ¼ä

2020-09-15

Àà    ÐÍ


µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ


Ó°Ïì¹æÄ£


 

΢ÈíÔÚ2020Äê8ÔÂ11ÈÕÐÇÆÚ¶þÐû²¼ÀýÐÐÇ徲ͨ¸æʱÅû¶ £¬£¬£¬£¬£¬µ±¹¥»÷ÕßʹÓÃNetlogonÔ¶³ÌЭÒ飨MS-NRP£©£¨ÓÖ³ÆΪ¡° NetlogonÌØȨÌáÉýÎó²î¡±£©½¨ÉèÓëÓò¿ØÖÆÆ÷µÄÒ×Êܹ¥»÷µÄNetlogonÇ徲ͨµÀÅþÁ¬Ê± £¬£¬£¬£¬£¬½«±£´æÌØȨÌáÉýÎó²î¡£¡£¡£¸ÃÎó²î¸ú×ÙΪCVE-2020-1472 £¬£¬£¬£¬£¬CVSSÆÀ·ÖΪ10·Ö £¬£¬£¬£¬£¬Ó°ÏìÃæ¹ã £¬£¬£¬£¬£¬Îó²îʹÓÃЧ¹ûÑÏÖØ¡£¡£¡£

0x01 Îó²îÏêÇé

image.png 

 

CVE-2020-1472ÊÇÒ»¸öÌØȨÌáÉýÎó²î £¬£¬£¬£¬£¬ÆäÓÉÓÚ¶ÔNetlogon»á»°Ê¹ÓÃÁ˲»Çå¾²µÄAES-CFB8¼ÓÃÜ¡£¡£¡£AES-CFB8±ê×¼ÒªÇó £¬£¬£¬£¬£¬Ã¿¸ö´¿Îı¾×Ö½Ú£¨ÈçÃÜÂ룩¶¼±ØÐè¾ßÓÐËæ»ú»¯µÄ³õʼ»¯ÏòÁ¿£¨IV£© £¬£¬£¬£¬£¬ÒԱ㲻¿ÉÍƲâÃÜÂë¡£¡£¡£

NetlogonÖеÄComputeNetlogonCredentialº¯Êý½«IVÉèÖÃΪÀο¿µÄ16λ £¬£¬£¬£¬£¬ÕâÒâζ׏¥»÷Õß¿ÉÒÔ¿ØÖƽâÃܵÄÎı¾¡£¡£¡£µ±ÊµÑéÏòÓò¿ØÖÆÆ÷£¨DC£©¾ÙÐÐÉí·ÝÑé֤ʱ £¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔʹÓôËȱÏÝÀ´Ä£ÄâÍøÂçÉÏÈκÎÅÌËã»úµÄÉí·Ý¡£¡£¡£È»ºó¿ÉÄܻᱬ·¢½øÒ»²½µÄ¹¥»÷ £¬£¬£¬£¬£¬°üÀ¨ÍêÈ«¿ØÖÆWindowsÓò¡£¡£¡£±ðµÄ £¬£¬£¬£¬£¬¹¥»÷Õß»¹¿ÉÒÔÔËÐÐImpacketµÄ¡° secretsdump¡±¾ç±¾´ÓÄ¿µÄÓò¿ØÖÆÆ÷ÌáÈ¡Óû§¹þÏ£ÁÐ±í¡£¡£¡£

ΪÁËʹÓôËÎó²î £¬£¬£¬£¬£¬¹¥»÷ÕßÐèÒª´ÓÓëÄ¿µÄÏàͬµÄ¾ÖÓòÍø£¨LAN£©ÉϵÄÅÌËã»úÌᳫ¹¥»÷¡£¡£¡£Ò×Êܹ¥»÷µÄ¿Í»§¶Ë»ò̻¶ÓÚ»¥ÁªÍøµÄDC×Ô¼ºÎÞ·¨Ê¹Óᣡ£¡£¸Ã¹¥»÷ÒÔÓÕÆ­ÐԵǼαװ³ÉÕý³£µÄÓòµÇ¼ʵÑé¡£¡£¡£Active Directory£¨AD£©ÐèÒª½«ÅþÁ¬µÄ¿Í»§¶Ëʶ±ðΪÔÚÆäÂß¼­ÍØÆËÖÐ £¬£¬£¬£¬£¬¶øÍⲿµØµãÔò²»»á¡£¡£¡£

image.png 


¸ÃÎó²îÓ°Ïì¹æÄ£ÈçÏ£º

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)


ÏÖÔÚ £¬£¬£¬£¬£¬¸ÃÎó²îµÄPoCÒÑÐû²¼µ½GitHub ÉÏ £¬£¬£¬£¬£¬Õ⽫ÒýÆðÕû¸öÇå¾²ÉçÇøµÄÆÕ±éÐËȤºÍÊÔÑé¡£¡£¡£ÓÉÓÚÑо¿Ö°Ô±Ò»Ö±ÔÚÆð¾¢¾ÙÐÐÀֳɵĿª·¢ £¬£¬£¬£¬£¬ÑÏÖØÇÒÒýÈËעĿµÄÎó²îÍùÍù¸üÄÜÒýÆðÇå¾²Ñо¿Ö°Ô±ºÍ¹¥»÷ÕßµÄÆÕ±é¹Ø×¢¡£¡£¡£

0x02 ´¦Öóͷ£½¨Òé

MicrosoftÕýÔڷֽ׶νâ¾ö´ËÎó²î¡£¡£¡£

³õʼ½×¶Î£º

´Ó2020Äê8ÔÂ11ÈÕÐû²¼µÄWindows¸üÐÂ×îÏÈ¡£¡£¡£ÕâЩ¸üн«Ê¹Óò¿ØÖÆÆ÷£¨DC£©ÔÚĬÈÏÇéÐÎϱ£»£»£»£» £»¤Windows×°±¸ £¬£¬£¬£¬£¬¼Í¼²»Çкϻ®¶¨µÄ×°±¸·¢Ã÷µÄÊÂÎñ £¬£¬£¬£¬£¬²¢¿ÉÒÔÑ¡ÔñÆôÓöԾßÓÐÏÔ×ÅÒì³£µÄËùÓÐÓòÅþÁ¬×°±¸µÄ±£»£»£»£» £»¤¡£¡£¡£

µÚ¶þ½×¶Î£º

ÓÚ2021ÄêµÚÒ»¼¾¶ÈÐû²¼ £¬£¬£¬£¬£¬±ê¼Ç׏ý¶Éµ½Ö´Ðн׶Ρ£¡£¡£DC½«±»ÖÃÓÚÇ¿ÖÆģʽ £¬£¬£¬£¬£¬¸ÃģʽҪÇóËùÓÐWindowsºÍ·ÇWindows×°±¸¶¼Í¨¹ýNetlogonÇ徲ͨµÀʹÓÃÇå¾²µÄÔ¶³ÌÀú³ÌŲÓã¨RPC£©¡£¡£¡£

ÐÞ¸´½¨Ò飺

1.ÏÖÔÚ΢Èí¹Ù·½ÒÑÐû²¼Çå¾²¸üР£¬£¬£¬£¬£¬½¨ÒéʹÓÃWindows Update¾ÙÐиüС£¡£¡£

²¹¶¡Á´½ÓµØµã£º

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1472

2.¸ÃÎó²î¿ÉʹÓÃÇå¾² RPC À´½â¾ö £¬£¬£¬£¬£¬ÏêϸÐÅÏ¢Çë²Î¿¼Î¢Èí¹Ù·½Êֲ᣺

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-1472

3.¿ÉÔÚDCÉÏ¿ªÆôÇ¿ÖÆģʽ¡£¡£¡£

ÏêϸÐÅÏ¢Çë²Î¿¼Î¢Èí¹Ù·½Îĵµ£º

¡¶How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472¡·

ÎĵµÁ´½Ó£º

https://support.microsoft.com/zh-cn/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

0x03 Ïà¹ØÐÂÎÅ

https://zh-cn.tenable.com/blog/cve-2020-1472-zerologon-vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows?tns_redirect=true

0x04 ²Î¿¼Á´½Ó

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

https://nvd.nist.gov/vuln/detail/CVE-2020-1472

https://github.com/SecuraBV/CVE-2020-1472

0x05 ʱ¼äÏß

2020-08-11 ΢Èí¹Ù·½Ðû²¼Îó²îͨ¸æ

2020-09-15  VSRCÐû²¼Ç徲ͨ¸æ

 

image.png