silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,148
Two critical Microsoft vulnerabilities, CVE-2019-1040 and CVE-2019-1019, would allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.
According to researchers at Preempt, who discovered the flaws, the two CVEs consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. A successful exploit would allow an attacker to read all users’ emails; authenticate to any cloud resource that is controlled by ADFS; remotely execute code on any machine the victim has privileges on; and modify various network configuration to create backdoors.
Three logical flaws are at the heart of the vulnerabilities.
The first has to do with the Message Integrity Code (MIC) field, which ensures that attackers do not tamper NTLM messages. According Preempt’s write-up on the flaw, the bypass allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation.
The second weakness is in the SMB Session Signing, which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions. This bypass, according to the analysis, enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise.
And finally, Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions has a flaw. The bypass here, as described, allows attackers to modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations such as reading the user’s emails (by relaying to OWA servers) or even connecting to cloud resources (by relaying to ADFS servers).