NetSPI security specialist Jake Karnes has published detailed information ( 1 , 2 ) about the CVE-2020-17049 vulnerability, as well as an exploit for it, calling his attack Kerberos Bronze Bit.
The underlying bug was discovered and fixed as early as November Patch Tuesday, but after installing the patches, many customers experienced serious disruptions: enterprise domain controllers were experiencing problems with Kerberos authentication. As a result, in December Microsoft was forced to release additional fixes that eliminated the difficulties encountered.
Kerberos Exploit for CVE-2020-17049
Let me remind you that Kerberos long ago replaced NTLM and became the default authentication protocol for domain-joined devices in all versions of Windows above Windows 2000. In November, it was known that the CVE-2020-17049 vulnerability could be exploited remotely and is related to Kerberos Constrained Delegation (KCD).
Now, Karnes writes that the Bronze Bit attack he created is a variation of the older and well-known Golden Ticket and Silver Ticket attacks against Kerberos. Interestingly, the attack was not named Bronze Ticket and was named Bronze Bit because it is based on flipping just one bit.
It is emphasized that all the above methods of post-compromise can be used only after the attacker has penetrated the company’s internal network. But if an attacker has infected at least one system on the company’s network and recovered the password hashes, they can use them to bypass and forge credentials from other systems on the same network if the network relies on Kerberos authentication protocol. The difference between Golden Ticket, Silver Ticket, and Bronze Bit is which parts of the Kerberos protocol the attacker exploits.
In the case of Bronze Bit, the attacker targets the S4U2self and S4U2proxy protocols, which Microsoft added to Kerberos as extensions. The Karnes exploit bypasses two security mechanisms for Kerberos delegation at once and provides hackers with the ability to lateral move around the network, escalate privileges, and allow them to impersonate another.
