Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Microsoft Patches Flaw Related to “Malicious Butler” Attack

Microsoft has released yet another patch for a serious Windows authentication bypass vulnerability first disclosed by researchers nine months ago.

Microsoft has released yet another patch for a serious Windows authentication bypass vulnerability first disclosed by researchers nine months ago.

In November 2015, researcher Ian Haken demonstrated a flaw (CVE-2015-6095) that could be leveraged by a local attacker to bypass authentication on the Windows login screen. Microsoft attempted to address the flaw a week before it was disclosed by Haken, but researchers Nabeel Ahmed and Tom Gilis later showed that the fix was incomplete so the tech giant released another patch (CVE-2016-0049) in February 2016.

Researchers initially believed this attack could only be carried out by an attacker with physical access to the targeted device (i.e. a so-called evil maid attack). However, last week at the Black Hat security conference, Microsoft’s Chaim Hoch and Tal Be’ery reported discovering a method that can be used to launch such an attack remotely – they called it a “remote malicious butler” attack.

Hoch and Be’ery said the malicious butler attack did not work if the patches released by Microsoft were applied. However, Ahmed discovered that the second fix issued by Microsoft was incomplete as well.

In the original evil maid attack, a hacker must set up a rogue domain controller (DC) with the same domain name as the victim’s computer, and create a user account matching the victim’s username and configured so that its password would expire.

The attacker then needs to connect the targeted machine to the rogue DC and log in with the account they created. Since the password is set to expire, the attacker is prompted to change it and the new one is added to the local system’s cached credentials. In the last phase of the attack, the hacker disconnects the computer from the rogue DC and logs in with their own password, which is valid as it is compared to cached credentials instead of ones from the domain controller.

Microsoft attempted to address the vulnerability in February by adding an additional authentication check. However, Ahmed has discovered that there is another way to carry out the attack.

In patched versions of Windows, when a password change is attempted while the machine is connected to a rogue DC, an error message informs the user that the domain controller is not trusted.

The researcher noticed, however, that the password could still be changed if the rogue domain controller was disconnected in the middle of the password reset process. The expert blocked the rogue DC from the Windows Firewall and the password was successfully reset after six minutes.

The requirement to wait six minutes for the password change made the attack somewhat impractical, but after an analysis of the traffic between the client and the server, Ahmed managed to bring it down to one minute.

Microsoft was informed about this vulnerability in early April and patched it this week with the release of the MS16-101 security bulletin (CVE-2016-3237). Be’ery and Hoch pointed out that this latest patch is relevant for both the local evil maid attack and their remote butler version.

Related: Secure Boot Vulnerability Exposes Windows Devices to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...