Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Microsoft Patches Flaw Related to “Malicious Butler” Attack

Microsoft has released yet another patch for a serious Windows authentication bypass vulnerability first disclosed by researchers nine months ago.

Microsoft has released yet another patch for a serious Windows authentication bypass vulnerability first disclosed by researchers nine months ago.

In November 2015, researcher Ian Haken demonstrated a flaw (CVE-2015-6095) that could be leveraged by a local attacker to bypass authentication on the Windows login screen. Microsoft attempted to address the flaw a week before it was disclosed by Haken, but researchers Nabeel Ahmed and Tom Gilis later showed that the fix was incomplete so the tech giant released another patch (CVE-2016-0049) in February 2016.

Researchers initially believed this attack could only be carried out by an attacker with physical access to the targeted device (i.e. a so-called evil maid attack). However, last week at the Black Hat security conference, Microsoft’s Chaim Hoch and Tal Be’ery reported discovering a method that can be used to launch such an attack remotely – they called it a “remote malicious butler” attack.

Hoch and Be’ery said the malicious butler attack did not work if the patches released by Microsoft were applied. However, Ahmed discovered that the second fix issued by Microsoft was incomplete as well.

In the original evil maid attack, a hacker must set up a rogue domain controller (DC) with the same domain name as the victim’s computer, and create a user account matching the victim’s username and configured so that its password would expire.

The attacker then needs to connect the targeted machine to the rogue DC and log in with the account they created. Since the password is set to expire, the attacker is prompted to change it and the new one is added to the local system’s cached credentials. In the last phase of the attack, the hacker disconnects the computer from the rogue DC and logs in with their own password, which is valid as it is compared to cached credentials instead of ones from the domain controller.

Microsoft attempted to address the vulnerability in February by adding an additional authentication check. However, Ahmed has discovered that there is another way to carry out the attack.

In patched versions of Windows, when a password change is attempted while the machine is connected to a rogue DC, an error message informs the user that the domain controller is not trusted.

Advertisement. Scroll to continue reading.

The researcher noticed, however, that the password could still be changed if the rogue domain controller was disconnected in the middle of the password reset process. The expert blocked the rogue DC from the Windows Firewall and the password was successfully reset after six minutes.

The requirement to wait six minutes for the password change made the attack somewhat impractical, but after an analysis of the traffic between the client and the server, Ahmed managed to bring it down to one minute.

Microsoft was informed about this vulnerability in early April and patched it this week with the release of the MS16-101 security bulletin (CVE-2016-3237). Be’ery and Hoch pointed out that this latest patch is relevant for both the local evil maid attack and their remote butler version.

Related: Secure Boot Vulnerability Exposes Windows Devices to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.