Early Release Exploit for MS14-068 Vulnerability (Affecting Kerberos)

A critical vulnerability (MS14-068) affecting Windows environments was published by Microsoft on October 11, 2017. Specifically, the vulnerability affects Kerberos:

[The vulnerability will] allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

There was no public PoC available for exploiting this vulnerability until Sylvain Monné shared one on Friday, December 5. This PoC makes it possible to create a Kerberos ticket that will impersonate a normal user as Domain Admin (among other groups). Core Labs was able to publish an Impacket script that enables the community to verify the presence of the vulnerability by providing access to a SYSTEM shell at the target. At the same time, we made an early release exploit for Core Impact available to our customers, so they can test their environments against this vulnerability.

The new exploit allows Core Impact users to easily install an agent on a domain controller or any Windows machine that belongs to a given domain via a standard domain user account with no special privileges. For example, if you have generic restricted user accounts for meeting rooms and you haven’t patched your machines, you are at risk. This attack can be launched directly from the Impact console, or by pivoting through another already compromised system.