Vulnerabilities > CVE-2014-6324 - Unspecified vulnerability in Microsoft products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 9 |
Exploit-Db
description MS14-068. CVE-2014-6324. Remote exploit for windows platform id EDB-ID:35474 last seen 2016-02-04 modified 2014-12-05 published 2014-12-05 reporter Sylvain Monne source https://www.exploit-db.com/download/35474/ title Windows Kerberos - Elevation of Privilege MS14-068 description HackBack - A DIY Guide. Papers exploit for Multiple platform id EDB-ID:41915 last seen 2017-04-25 modified 2016-04-17 published 2016-04-17 reporter Exploit-DB source https://www.exploit-db.com/download/41915/ title HackBack - A DIY Guide
Metasploit
| description | This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz help. It has been tested successfully on Windows 2008. |
| id | MSF:AUXILIARY/ADMIN/KERBEROS/MS14_068_KERBEROS_CHECKSUM |
| last seen | 2020-06-05 |
| modified | 2020-02-18 |
| published | 2014-12-22 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb |
| title | MS14-068 Microsoft Kerberos Checksum Validation Vulnerability |
Msbulletin
| bulletin_id | MS14-068 |
| bulletin_url | |
| date | 2014-11-11T00:00:00 |
| impact | Elevation of Privilege |
| knowledgebase_id | 3011780 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerability in Kerberos Could Allow Elevation of Privilege |
Nessus
| NASL family | Windows : Microsoft Bulletins |
| NASL id | SMB_NT_MS14-068.NASL |
| description | The remote Windows host is affected by a privilege escalation vulnerability due to the Kerberos Key Distribution Center (KDC) implementation not properly validating signatures. A remote attacker can exploit this vulnerability to elevate an unprivileged domain user account to a domain administrator account. ESKIMOROLL is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 79311 |
| published | 2014-11-18 |
| reporter | This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/79311 |
| title | MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) (ESKIMOROLL) |
Seebug
| bulletinFamily | exploit |
| description | ### Description `MS14-068` is a Windows vulnerability in the Key Distribution Center (KDC) service. It allows an authenticated user to insert an arbitrary PAC (a structure that represent all user rights) in its Kerberos ticket (the TGT). > https://technet.microsoft.com/library/security/ms14-068.aspx In Windows domains, it permits privilege escalation (usually `standard user` to `domain/enterprise admin`) ### Technical The vulnerability is in the Key Distribution Center (KDC - `kdcsvc.dll`) of domain controllers. An user can obtain tickets by presenting a Kerberos TGT with an altered PAC. Normally the KDC service detects a PAC alteration by verifying its signature (each KDC knows the secret symmetric key to check it) **The vulnerability:** KDC service allows algorithms without keys (like `MD4`, `MD5`, `SHA1` or `CRC32`) to be used. It means that any user can forge a PAC without knowing any secret key, and ask the KDC to include it in a ticket. #### Workflow 1. (AS-REQ) User authenticates to a KDC, asking a TGT without a PAC. 2. (PAC TIME) User creates a PAC with arbitrary data and seal it with an algorithm without keys (here, `MD5`). 3. (TGS-REQ) From its TGT, user asks a TGS for service `krbtgt` (TGT-like) with its fake PAC included. 4. (TGS-REQ) From its TGS, user asks another TGS for service `krbtgt` (TGT-like) - _if vulnerable, fake PAC will be really signed by KDC here!_ 5. (KRB-CRED) From the final TGS, ticket is converted as KRB-CRED structure (to be saved on disk or injected in `LSA`) Step 4. seems to be optional, but is necessary to use a TGT with a PAC well signed with a domain controller not vulnerable (load balancing). ## Arguments #### Standard * `/domain` - the fully qualified domain name of the target (ex: `lab.local`) * `/user` - the username you want to use as authenticated user (any account allowed to logon is OK, ex: `utilisateur`) Then you can choose between: * `/password` - the password of the user's account * `/key` - the derived key of the user's account, it can be `RC4_HMAC_NT` (`NTLM`), `AES128_CTS_HMAC_SHA1_96` or `AES256_CTS_HMAC_SHA1_96` By default, `/key` and `/password` will be used with `RC4_HMAC_NT` algorithm, but you can specify `/aes128` (`AES128_CTS_HMAC_SHA1_96`) or `/aes256` (`AES256_CTS_HMAC_SHA1_96`) Final usage is between: * `/ticket` - _optional_ - file name used to write ticket(s) on the disk - default is: `tgt.kirbi` * `/ptt` - _optional_ - `Pass The Ticket`: no ticket will be written, first good ticket is injected in `LSA` (NT6 is needed) #### Automatically recovered If not provided, these arguments can be recovered remotely by RPC/CLDAP, in this case: `/password` is mandatory and `/key` is not permitted. * `/sid` - _optional_ - the **domain**'s SID (ex: `S-1-5-21-1644491937-412668190-839522115`) * `/rid` - _optional_ - the **user**'s relative ID (ex: `1105`) * `/kdc` - _optional_ - the DC you want to use for all queries (ex: `dc.lab.local`), if not provided, the program will select one automatically, then: * test *all* KDC in the domain * when saving ticket in file: save each successful tickets in separate files, named like `%dcshortname%.%filename%.kirbi` * when `Pass The Ticket`: inject the first successful ticket in `LSA` then break the loop * print a little repport at the end with the number of vulnerable servers vs the total. #### Tuning * `/groups` - _optional_ - relatives id of groups which the user will belong (first is primary group, comma separator) - default is: `513,512,520,518,519` for the well-known Administrator's groups. * `/sids` - _optional_ - externals SID (externals to the domain) to add. * an interesting SID is `S-1-5-21-root forest-519` (Enterprise Admins) # Errors * `KDC_ERR_WRONG_REALM (68)`: bad domain name * `KDC_ERR_PREAUTH_FAILED (24)`: bad password or key * `KDC_ERR_ETYPE_NOSUPP (14)`: you try to make AES on 2003 domain functional level (or algorithm is not allowed) * `KDC_ERR_SUMTYPE_NOSUPP (15)`: * NT6 target: `KB3011780` patch or > is installed * `KRB_ERR_GENERIC (60)`: * NT5 target: `KB3011780` patch or > is installed * NT6 target: 2012 server or > is not vulnerable to this program Others errors: * `ERROR stringToKey ; LocacteCSystem: 80080341`: you try to use AES on a NT5 client (RC4 support only), please use a NT6 machine. * `ERROR [...] ; LsaCallAuthenticationPackage KerbSubmitTicketMessage : c000000d`: you try to make `Pass The Ticket` on a NT5 client. Like with `mimikatz`, it’s a NT6 only feature. ### Remarks * All DC without `KB3011780` patch or >, are vulnerable (like all Windows 2000) |
| id | SSV:92950 |
| last seen | 2017-11-19 |
| modified | 2017-04-15 |
| published | 2017-04-15 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-92950 |
| title | ESKIMOROLL-ms14-068 Windows vulnerability in the Key Distribution Center (KDC) service (CVE-2014-6324) |
The Hacker News
| id | THN:CD55D97C4B7F0F15409E50C509B347D3 |
| last seen | 2018-01-27 |
| modified | 2014-11-19 |
| published | 2014-11-18 |
| reporter | Swati Khandelwal |
| source | https://thehackernews.com/2014/11/microsoft-releases-emergency-out-of.html |
| title | Microsoft Releases Emergency Out-of-Band Patch for Kerberos Bug MS14-068 |
References
- http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
- http://www.us-cert.gov/ncas/alerts/TA14-323A
- http://www.securitytracker.com/id/1031237
- http://marc.info/?l=bugtraq&m=142350249315918&w=2
- http://www.securityfocus.com/bid/70958
- http://secunia.com/advisories/62556
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068