From User to Domain Admin in (less than) 60 seconds: CVE-2021-42278/CVE-2021-42287


FortiGuard Labs Threat Research Report

Affected Platforms: Windows
Impacted Users: Any organization with an Active Directory environment
Impact: Unprivileged user can escalate privileges to domain administrator
Severity Level: Critical

On Patch Tuesday of last November, Microsoft released advisories to address several vulnerabilities in Active-Directory. Analysis of these vulnerabilities showed that by combining CVE-2021-42278 and CVE-2021-42287 it is possible, under default conditions, for a regular user to easily impersonate a domain admin. This means that any domain user can effectively become a domain administrator, which makes these vulnerabilities extremely severe. Moreover, there are already several Github repositories with free-to-use PoC code that facilitates the exploitation of these vulnerabilities.

In this post, we will describe how the exploitation of these vulnerabilities works and show how the attack is mitigated by FortiEDR.


CVE-2021-42278 – Invalid Computer Account Name

Computer account names in Active Directory environments should always end with “$”, however, this is not enforced correctly. The computer account name attribute is “sAMAccountName”. It is possible to see and edit the this attribute manually using the ADSIEdit Tool, as can be seen in Figure 1.

Disclaimer

Fortinet Inc. published this content on 05 January 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 05 January 2022 18:57:06 UTC.

Menu