Microsoft has released yet another patch for a serious Windows authentication bypass vulnerability first disclosed by researchers nine months ago.
In November 2015, researcher Ian Haken demonstrated a flaw (CVE-2015-6095) that could be leveraged by a local attacker to bypass authentication on the Windows login screen. Microsoft attempted to address the flaw a week before it was disclosed by Haken, but researchers Nabeel Ahmed and Tom Gilis later showed that the fix was incomplete so the tech giant released another patch (CVE-2016-0049) in February 2016.
Researchers initially believed this attack could only be carried out by an attacker with physical access to the targeted device (i.e. a so-called evil maid attack). However, last week at the Black Hat security conference, Microsoft’s Chaim Hoch and Tal Be’ery reported discovering a method that can be used to launch such an attack remotely – they called it a “remote malicious butler” attack.
Hoch and Be’ery said the malicious butler attack did not work if the patches released by Microsoft were applied. However, Ahmed discovered that the second fix issued by Microsoft was incomplete as well.
In the original evil maid attack, a hacker must set up a rogue domain controller (DC) with the same domain name as the victim’s computer, and create a user account matching the victim’s username and configured so that its password would expire.
The attacker then needs to connect the targeted machine to the rogue DC and log in with the account they created. Since the password is set to expire, the attacker is prompted to change it and the new one is added to the local system’s cached credentials. In the last phase of the attack, the hacker disconnects the computer from the rogue DC and logs in with their own password, which is valid as it is compared to cached credentials instead of ones from the domain controller.
Microsoft attempted to address the vulnerability in February by adding an additional authentication check. However, Ahmed has discovered that there is another way to carry out the attack.
In patched versions of Windows, when a password change is attempted while the machine is connected to a rogue DC, an error message informs the user that the domain controller is not trusted.
The researcher noticed, however, that the password could still be changed if the rogue domain controller was disconnected in the middle of the password reset process. The expert blocked the rogue DC from the Windows Firewall and the password was successfully reset after six minutes.
The requirement to wait six minutes for the password change made the attack somewhat impractical, but after an analysis of the traffic between the client and the server, Ahmed managed to bring it down to one minute.
Microsoft was informed about this vulnerability in early April and patched it this week with the release of the MS16-101 security bulletin (CVE-2016-3237). Be’ery and Hoch pointed out that this latest patch is relevant for both the local evil maid attack and their remote butler version.
Related: Secure Boot Vulnerability Exposes Windows Devices to Attacks