Critical design flaw in Active Directory could allow for a password change

Microsoft contends the general issue has been long-known, but Israel-based Aorato has developed a working attack

Microsoft's widely used software for brokering network access has a critical design flaw, an Israeli security firm said, but Microsoft contends the issue has been long-known and defenses are in place.

Aorato used public information to craft a proof-of-concept attack that shows how an attacker can change a person's network password, potentially allowing access to other sensitive systems, said Tal Be'ery, its vice president of research.

"The dire consequences we are discussing -- that an attacker can change the password -- was definitely not known," said Be'ery in a phone interview Tuesday.

About 95 percent of Fortune 500 companies use Active Directory, making the problem "highly sensitive," Aorato wrote on its blog.

The company's research focuses on NTLM, an authentication protocol that Microsoft has been trying to phase out for years. All Windows versions older than Windows XP SP3 used NTLM as a default, and newer Windows versions are compatible with it in combination with its successor, Kerberos.

NTLM is vulnerable to a so-called "pass-the-hash" attack in which an attacker obtains the login credentials for a computer and can use the mathematical representation of those credentials -- called a hash -- to access other services or computers.

It's one of the most popular kinds of attacks since a computer that may not be valuable for the data it stores on its own could enable access to a more sensitive system. U.S.-based retailer Target fell victim to this kind of lateral movement that led to a data breach after hackers gained access to its network via a supplier.

The pass-the-hash attack is a long-known weakness around single sign-on systems (SSO) since the hash must be stored somewhere on a system for some amount of time. Other operating systems that accommodate SSO are also affected by the threat.

Disabling SSO would solve the problem, but it would also mean that users on a network would have to repeatedly enter their password in order to access other systems, which is inconvenient.

"It's a trade-off," Be'ery said.

Aorato contends that an attacker can snatch an NTLM hash using publicly available penetration testing tools such as WCE or Mimikatz. It built a proof-of-concept tool that shows how attackers can then change a user's password to an arbitrary one and access other services such as RDP (remote desktop protocol) or the Outlook web application.

Although some enterprises try to limit the use of the NTLM protocol in favor of Kerberos, an attacker can force a client to authenticate to Active Directory using a weaker encryption protocol, RC4-HMAC, that uses the NTLM hash. That NTLM hash is then accepted by Kerberos, which issues a fresh authentication ticket.

Microsoft implemented Kerberos in order to move away from some of NTLM's security issues, but Kerberos works with RC4-HMAC to allow for compatibility with older systems.

The company couldn't immediately be reached for comment, but it acknowledged weaknesses in NTLM in a 2012 technical paper.

In May, Microsoft released a patch which contained improvements that make it harder to steal NTLM hashes. The company has also suggested that organizations use smart cards or disable Kerberos RC4-HMAC support on all domain controllers, but it is possible that could break some functionality.

Be'ery said quirks in Active Directory can cause it to downgrade to NTLM, which makes it hard for organizations to shut it off.

"It's not really a practical solution," he said.

For example, if a person is trying to access a network resource using its IP address instead of its name, Active Directory will use NTLM even if the organization is on the latest version of Windows, Be'ery said.

Aorato contends that more could be done around logging events that might indicate malicious behavior, such as specifying the encryption algorithm used for a password change.

"Although Windows had created a relatively verbose Kerberos event logging system, it fails to show the pertinent attack information," the company wrote. "As a result, the logs lack indication of something fishy going on."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftAccess control and authenticationAorato

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?