Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Microsoft Patches Flaw Related to “Malicious Butler” Attack

Microsoft has released yet another patch for a serious Windows authentication bypass vulnerability first disclosed by researchers nine months ago.

Microsoft has released yet another patch for a serious Windows authentication bypass vulnerability first disclosed by researchers nine months ago.

In November 2015, researcher Ian Haken demonstrated a flaw (CVE-2015-6095) that could be leveraged by a local attacker to bypass authentication on the Windows login screen. Microsoft attempted to address the flaw a week before it was disclosed by Haken, but researchers Nabeel Ahmed and Tom Gilis later showed that the fix was incomplete so the tech giant released another patch (CVE-2016-0049) in February 2016.

Researchers initially believed this attack could only be carried out by an attacker with physical access to the targeted device (i.e. a so-called evil maid attack). However, last week at the Black Hat security conference, Microsoft’s Chaim Hoch and Tal Be’ery reported discovering a method that can be used to launch such an attack remotely – they called it a “remote malicious butler” attack.

Hoch and Be’ery said the malicious butler attack did not work if the patches released by Microsoft were applied. However, Ahmed discovered that the second fix issued by Microsoft was incomplete as well.

In the original evil maid attack, a hacker must set up a rogue domain controller (DC) with the same domain name as the victim’s computer, and create a user account matching the victim’s username and configured so that its password would expire.

The attacker then needs to connect the targeted machine to the rogue DC and log in with the account they created. Since the password is set to expire, the attacker is prompted to change it and the new one is added to the local system’s cached credentials. In the last phase of the attack, the hacker disconnects the computer from the rogue DC and logs in with their own password, which is valid as it is compared to cached credentials instead of ones from the domain controller.

Microsoft attempted to address the vulnerability in February by adding an additional authentication check. However, Ahmed has discovered that there is another way to carry out the attack.

In patched versions of Windows, when a password change is attempted while the machine is connected to a rogue DC, an error message informs the user that the domain controller is not trusted.

Advertisement. Scroll to continue reading.

The researcher noticed, however, that the password could still be changed if the rogue domain controller was disconnected in the middle of the password reset process. The expert blocked the rogue DC from the Windows Firewall and the password was successfully reset after six minutes.

The requirement to wait six minutes for the password change made the attack somewhat impractical, but after an analysis of the traffic between the client and the server, Ahmed managed to bring it down to one minute.

Microsoft was informed about this vulnerability in early April and patched it this week with the release of the MS16-101 security bulletin (CVE-2016-3237). Be’ery and Hoch pointed out that this latest patch is relevant for both the local evil maid attack and their remote butler version.

Related: Secure Boot Vulnerability Exposes Windows Devices to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...