近日,监测到Windows Active Directory域服务权限提升漏洞的利用细节和POC已在网上公开,攻击者可以利用此漏洞在目标域内将身份提升至管理员权限,对企业身份认证和相关资产产生巨大威胁,建议受影响用户尽快采取措施修复相关漏洞。
1漏洞综述
1.1 漏洞背景
目录是存储有关网络上对象信息的层次结构,目录服务(Active Directory 域服务 (AD DS) )提供了一个分布式数据库,用于存储和管理来自目录的应用数据和网络资源数据信息。2021年11月10日Microsoft发布了十一月安全更新补丁,修复了Microsoft中多个漏洞,其中包括两个关于域权限提升的漏洞(CVE-2021-42278和CVE-2021-42287)。
1.2 漏洞原理
CVE-2021-42278
由于Microsoft Windows Active Directory 域服务中存在权限提升漏洞,AD域中的计算机账户名一般是以“$”结尾,但是AD域并没有对该符号进行验证,导致经过身份验证的恶意攻击者可以绕过AD域的安全措施,配合CVE-2021-42287实现将域内的普通用户权限提升至管理员权限。
CVE-2021-42287
由于Microsoft Windows Active Directory 域服务中存在权限提升漏洞,当恶意攻击者创建与机器账户用户名相同的账户,用户名不以“$”结尾时,可以绕过AD域服务的安全限制措施,从而将普通用户权限提升至管理员权限。
1.3 漏洞复现
搭建AD域环境,创建普通域内用户,发送恶意数据至服务器得到票证:
2影响范围
CVE-2021-42278
Windows Server 2012 R2
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
CVE-2021-42287:
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server, version 20H2 (Server Core Installation)
Windows Server, version 2004 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
3处置方法
3.1 官方补丁
目前官方已发布漏洞修复补丁,请及时更新下载安全补丁。
官方链接:
https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov