contact us

CVE-2020-1472 Zerologon Exploit Now Available

by Sep 15, 2020

CVE-2020-1472 Zerologon Exploit Now Available

Yesterday, (14 Sep 2020) RiskSense announced that we had written and released a weaponized exploit for CVE-2020-1472, also known as “Zerologon”. We do this of course, to help the security community. If you think about it, public exploits become useless over time, while secret exploits stay useful indefinitely (to the bad guys). Sunshine is poisonous to exploits, as they say.

But I’m getting ahead of myself. Let’s go back a bit: the Dutch security firm Secura published a novel attack on the Netlogon Remote Protocol RPC interface used by Microsoft Active Directory Domain Controllers for password database synchronization. This attack leverages a design weakness in the Netlogon Remote Protocol login process that allows an attacker to log in and perform critical operations using a password consisting entirely of zeros. This attack is successful (on average) in an astounding 1 in 256 login attempts!

The attack has been verified and validated in an internal lab environment. This attack path can be used to achieve complete compromise of a network with any Microsoft Domain Controller without the appropriate patches for the Netlogon Remote Protocol service. Microsoft advisory here.

In an effort to help the security community, RiskSense Security Analyst Dylan Davis developed one of the first publicly available exploits and implemented the attack as reported in the Secura whitepaper. Further, RiskSense created a modified version of the Secura scanner that performs the complete attack chain including reversing the attack to restore the original domain controller machine password. The sample exploit code can be found at https://github.com/risksense/zerologon/.

Today, RiskSense made a System Filter for CVE-2020-1472 freely available to our customers to make sure they can easily identify which assets in their environment harbor this vulnerability. With everyone working together, we can make progress toward creating safer, more secure environments.

RiskSense Careers

Looking for a new opportunity in the growing field of Cyber Risk Management?

View Now >