{"id":574,"date":"2014-11-21T23:49:16","date_gmt":"2014-11-22T04:49:16","guid":{"rendered":"http:\/\/adsecurity.org\/?p=574"},"modified":"2014-12-15T21:13:20","modified_gmt":"2014-12-16T02:13:20","slug":"ms14-068-active-directory-kerberos-vulnerability-patch","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=574","title":{"rendered":"MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum"},"content":{"rendered":"<h4><span style=\"text-decoration: underline;\">MS14-068 References:<\/span><\/h4>\n<ul>\n<li><a title=\"MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege\" href=\"https:\/\/adsecurity.org\/?p=525\">AD Kerberos Privilege Elevation Vulnerability: The Issue<\/a><\/li>\n<li><a title=\"Kerberos Vulnerability in MS14-068 Explained\" href=\"https:\/\/adsecurity.org\/?p=541\">Detailed Explanation of MS14-068<\/a><\/li>\n<li><a title=\"MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=660\">MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK)<\/a><\/li>\n<li><a title=\"Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)\" href=\"https:\/\/adsecurity.org\/?p=676\">Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)<\/a><\/li>\n<li><a title=\"PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works\" href=\"https:\/\/adsecurity.org\/?p=763\">PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>The folks at <a href=\"http:\/\/www.beyondtrust.com\/\">BeyondTrust<\/a> have a <a href=\"http:\/\/blog.beyondtrust.com\/a-quick-look-at-ms14-068\">great write-up on what the MS14-068 patch adds to mitigate the Kerberos ticket PAC validation vulnerability<\/a>.<br \/>\n<!--more--><\/p>\n<p>&nbsp;<\/p>\n<blockquote><p>So it looks like there is an issue with PAC signatures.\u00a0 But what specifically? \u00a0If we take a look at the kdsvc.dll patch for Server 2008, there are 3 changed functions:<\/p>\n<p><a href=\"http:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/31.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-20701\" src=\"https:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/31.png\" alt=\"3\" width=\"566\" height=\"74\" \/><\/a><\/p>\n<p>As expected, two of the three involve PAC (Privilege Attribute Certificate).\u00a0 VerifyPacSignature looks promising.\u00a0 Let\u2019s see what changed there.<\/p>\n<p><a href=\"http:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/Cadddpture.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-20714\" src=\"https:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/Cadddpture.png\" alt=\"Cadddpture\" width=\"455\" height=\"180\" \/><\/a><\/p>\n<p>More or less, a comparison like above ( cmp &lt;something&gt;, 0xFFFFFF76 ) was added in two places.\u00a0 The result of this comparison will either lead to further processing or to returning a Kerberos specific error as seen below.<\/p>\n<p><a href=\"http:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/51.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-20703\" src=\"https:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/51.png\" alt=\"5\" width=\"460\" height=\"253\" \/><\/a><\/p>\n<p>The value 0xFFFFFF76 can be traced upward in the patched function to a nearby call to _CDLocateChecksum.<\/p>\n<p><a href=\"http:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/61.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-20704\" src=\"https:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/61.png\" alt=\"6\" width=\"698\" height=\"454\" \/><\/a><\/p>\n<p>This function is imported from cryptdll.dll, so opening that in IDA we can follow the second argument to CDLocateChecksum and see that the source of this value seems to come from the _CheckSumFns array.<\/p>\n<p><a href=\"http:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/71.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-20705\" src=\"https:\/\/blog.beyondtrust.com\/wp-content\/uploads\/2014\/11\/71.png\" alt=\"7\" width=\"513\" height=\"827\" \/><\/a><\/p><\/blockquote>\n<p><a href=\"http:\/\/blog.beyondtrust.com\/a-quick-look-at-ms14-068\">Read the rest of the article at the BeyondTrust blog<\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) PyKEK Kerberos Packets on the Wire aka How the MS14-068 Exploit Works &nbsp; The folks at BeyondTrust have &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=574\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[20,337,81,298,296,297,289,295,315,314],"class_list":["post-574","post","type-post","status-publish","format-standard","hentry","category-microsoft-security","category-technical-reference","tag-activedirectory","tag-kb3011780","tag-kerberos","tag-kerberoshacking","tag-kerberosinvalidchecksum","tag-kerberosvulnerability","tag-ms14-068","tag-ms14068","tag-ms14068patch","tag-pacvalidation","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=574"}],"version-history":[{"count":8,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/574\/revisions"}],"predecessor-version":[{"id":784,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/574\/revisions\/784"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}