The flaw affects all supported versions of Windows. The vulnerability is present in Microsoft Windows Netlogon Remote Protocol, a core authentication component of Active Directory.
It allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services.
New blog: A different way of abusing Zerologon. No more password reset needed: using the printer bug with Zerologon to relay to DRSUAPI and DCSync directly with ntlmrelayx: https://t.co/5ixAuW8QHX— Dirk-jan (@_dirkjan) September 24, 2020
Code: https://t.co/nDLcN7LRmh pic.twitter.com/blLIaisWdq
Senior security specialist Tom Tervoort of the firm Secura discovered the flaw. In a joint advisory with technical director Ralph Moonen, the pair said: "Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint."
Tervoort and Moonen said the issue was caused by a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords.
"This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf," they wrote.
It has a few more prerequisites, but I finally managed to get a #Zerologon exploit working that doesn't rely on resetting passwords to exploit. Use the printerbug to make DC1 connect to you, then with lots of magic relay that to DC2 directly to DRSUAPI to DCSync ? pic.twitter.com/GfwckuLoKE— Dirk-jan (@_dirkjan) September 20, 2020
Commenting on the flaw, Scott Caveza, research engineering manager at security shop Tenable, said: "Shortly after the blog post from Secura was published, detailing the impact and technical information about Zerologon, multiple proof-of-concept scripts emerged.
"In the hours and days that followed, we saw an increase in the number of scripts available to test and exploit the flaw and they continued to expand upon previous code to add further automated and sophisticated attack scenarios. We anticipated attackers would seize the opportunity and begin exploiting the flaw very quickly, which we're now seeing play out.
"Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we're seeing attacks in the wild. Administrators should prioritise patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and [will be] integrated into malicious campaigns.
"Several samples of malicious .NET executables with the filename 'SharpZeroLogon.exe' have been uploaded to VirusTotal. Microsoft Security Intelligence has shared sample SHA-256 hashes to aid defenders in investigating any exploited systems."