Security/Dollar Ticket Attack: Difference between revisions
(more documentation links) |
No edit summary |
||
| Line 3: | Line 3: | ||
This page attempts to document the "Dollar Ticket Attack" on Active Directory servers and clients. |
This page attempts to document the "Dollar Ticket Attack" on Active Directory servers and clients. |
||
Many of these attacks are worse in Windows domains as [https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/ MachineAccountQuota] is still enabled by default. |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
== CVEs and Announcements of the Nov 2021 issues == |
== CVEs and Announcements of the Nov 2021 issues == |
||
| Line 34: | Line 31: | ||
* [https://datatracker.ietf.org/doc/html/rfc4120 RFC 4120 The Kerberos Network Authentication Service (V5)] |
* [https://datatracker.ietf.org/doc/html/rfc4120 RFC 4120 The Kerberos Network Authentication Service (V5)] |
||
* [https://www.rfc-editor.org/rfc/rfc6806.html RFC6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals] |
* [https://www.rfc-editor.org/rfc/rfc6806.html RFC6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals] |
||
=Still Open Issue in 'MIT Style' clients: |
|||
==Fallback to 'bare' users== |
|||
Just as Samba saw with [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717], the default principal to username mapping in MIT Kerberos is unsafe if user creation on the realm is not privileged. |
|||
Even if (eg) sssd or Samba provides a more complex account to local name plugin, the default behaviour remains to to map a user in the default realm to the matching user locally. It helps to avoid (eg) sssd mapping to an unprivileged account if that account is taken away before the ticket is presented. |
|||
The [https://web.mit.edu/kerberos/krb5-1.20/doc/admin/host_config.html MIT Kerberos Host configuration documentation describes the defaults as: |
|||
[realms] |
|||
DEFAULT.REALM = { |
|||
... |
|||
# Also allow principals from the default realm. Omit this line |
|||
# to only allow access to principals in OTHER.REALM. |
|||
auth_to_local = DEFAULT |
|||
} |
|||
==MIT-style servers don't know a $ is missing== |
|||
Unless the MIT-style kerberos acceptor enforces the presence of the PAC, and can read the PAC, using the [https://www.samba.org/samba/security/CVE-2020-25721.html extra information provided by Windows and Samba], it is not possible to know that the username has been stripped of the trailing $. This allows more opportunity for attack as there is no need for permission to delete the account, and still operates after [https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e Machine Accounts were restricted to keeping their trailing $] |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
* [https://support.microsoft.com/en-us/topic/kb5008382-verification-of-uniqueness-for-user-principal-name-service-principal-name-and-the-service-principal-name-alias-cve-2021-42282-4651b175-290c-4e59-8fcb-e4e5cd0cdb29 Microsoft CVE-2021-42282 KB5008382—Verification of uniqueness for user principal name, service principal name, and the service principal name alias] |
|||
* [https://www.samba.org/samba/security/CVE-2020-25722.html Samba AD DC did not do suffienct access and conformance checking of data stored (SPN/UPN uniqueness)] |
|||
Revision as of 00:53, 11 July 2022
The "Dollar Ticket Attack" / Name confusion in Kerberos
This page attempts to document the "Dollar Ticket Attack" on Active Directory servers and clients.
Many of these attacks are worse in Windows domains as MachineAccountQuota is still enabled by default.
CVEs and Announcements of the Nov 2021 issues
Talks
- Kawaiicon: Live stream replay @ Youtube PDF without embedded video (shorter, more focus on the remaining still open issues)
Blogs
- Stay Curious: Lessons from the Dollar-ticket security issue
- Catalyst Samba team fixes critical Microsoft security issue
Documentation
- MS-KILE 3.3.5.6.1 Client Principal Lookup
- RFC 4120 The Kerberos Network Authentication Service (V5)
- RFC6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals
=Still Open Issue in 'MIT Style' clients:
Fallback to 'bare' users
Just as Samba saw with CVE-2020-25717, the default principal to username mapping in MIT Kerberos is unsafe if user creation on the realm is not privileged.
Even if (eg) sssd or Samba provides a more complex account to local name plugin, the default behaviour remains to to map a user in the default realm to the matching user locally. It helps to avoid (eg) sssd mapping to an unprivileged account if that account is taken away before the ticket is presented.
The [https://web.mit.edu/kerberos/krb5-1.20/doc/admin/host_config.html MIT Kerberos Host configuration documentation describes the defaults as:
[realms]
DEFAULT.REALM = {
...
# Also allow principals from the default realm. Omit this line
# to only allow access to principals in OTHER.REALM.
auth_to_local = DEFAULT
}
MIT-style servers don't know a $ is missing
Unless the MIT-style kerberos acceptor enforces the presence of the PAC, and can read the PAC, using the extra information provided by Windows and Samba, it is not possible to know that the username has been stripped of the trailing $. This allows more opportunity for attack as there is no need for permission to delete the account, and still operates after Machine Accounts were restricted to keeping their trailing $
There are many other security issues, some related, that come form the same tree, including:
- Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)
- Microsoft CVE-2021-42282 KB5008382—Verification of uniqueness for user principal name, service principal name, and the service principal name alias
- Samba AD DC did not do suffienct access and conformance checking of data stored (SPN/UPN uniqueness)