by Mitja Kolsek, the 0patch Team
"KrbRelay" is a tool for forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows computer, potentially becoming a local or domain admin within minutes. The tool, based on James Forshaw's research, was developed by security researcher cube0x0, and was later wrapped by Mor Davidovich into another tool called "KrbRelayUp" that further automated attack steps for escalating privileges.
KrbRelay provides various options to launch different versions of attack; some of these options were already known under the name RemotePotato0, for which we already had patches before. What was new for us with KrbRelay was its capability to launch a local service (running in session 0) via RPC and exploit it for leaking Local System credentials through forced authentication. In order to be exploitable, a service must allow authentication over the network, and just two such services were identified on affected Windows versions:
- ActiveX Installer Service, identified by CLSID 90f18417-f0f1-484e-9d3c-59dceee5dbd8; and
- RemoteAppLifetimeManager.exe, identified by CLSID 0bae55fc-479f-45c2-972e-e951be72c0c1.
Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can't all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches.
For the purpose of identifying vulnerabilities we decided to name the vulnerability exposing the above services "KrbRelay", as other attack vectors provided by the tool were already blocked by our existing patches for RemotePotato0. We decided to inject our patch logic at the point where a local unprivileged attacker launches the exploitable service, because such patch would be fairly simple - and we like it simple: it's harder to make mistakes.
Our patch, source code shown below, resides in rpcss.dll and checks whether someone is trying to launch one of the above services via RPC; in such case, if the requestor's token is elevated, we allow it, otherwise not. This is the same approach as we used with patching RemotePotato0.
; memory representation: 17 84 f1 90 f1 f0 4e 48 9d 3c 59 dc ee e5 db d8
; clsid: 90f18417-f0f1-484e-9d3c-59dceee5dbd8
dd 0x90f18417 ; CIeAxiInstallerService Class
dw 0xf0f1, 0x484e
db 0x9d, 0x3c, 0x59, 0xdc, 0xee, 0xe5, 0xdb, 0xd8
pop rcx ; rcx => clsid in memory respresentation
mov rdx, [rbx] ; ClientToken hadle
mov r8, 16 ; length to compare
call PIT__strnicmp ; Compares the specified number of characters
; of two strings without regard to case
cmp rax, 0 ; rax == 0 string are equal
jne CONTINUE ; if rax != 0 continue normal code flow
mov rdx, [rbx+8]
mov rdx, [rdx]
mov rcx, [rdx+40h] ; current session token, TokenHandle
mov rdx, 14h ; TokenInformationClass, TokenElevation
sub rsp, 30h ; home space + vars
lea r8, [rsp+30h] ; TokenInformation
mov qword[rsp+30h], 0 ; memset
mov r9, 4 ; TokenInformationLength
lea rax, [rsp+28h] ; ReturnLength address
mov [rsp+20h], rax ; pointer to address
call PIT_GetTokenInformation ; The GetTokenInformation function retrieves a
; specified type of information about an access token
add rsp, 30h ; restore stack pointer
cmp byte[rsp], 0 ; token elevated?
je PIT_0x68ccd ; if elevated(1) continue normal code flow
While this vulnerability has no official vendor patch and could be considered a "0day", Microsoft seems determined not to fix relaying issues such as this one; therefore, this micropatch is not provided in the FREE plan but requires a PRO or Enterprise license.
The micropatch was written for the following Versions of Windows with all available Windows Updates installed:
Windows 10 v21H2
Windows 10 v21H1
Windows 10 v20H2
- Windows 10 v2004
- Windows 10 v1909
- Windows 10 v1903
- Windows 10 v1809
- Windows 10 v1803
Windows 7 (no ESU, ESU year 1, ESU year 2)
- Windows Server 2008 R2 (no ESU, ESU year 1, ESU year 2)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email [email protected] for a trial. Everything else will happen automatically. No computer reboot will be needed.
To learn more about 0patch, please visit our Help Center.
We'd like to thank James Forshaw and cube0x0 for sharing details about this vulnerability and sharing a tool, which allowed us to create a micropatch and protect our users. We also encourage security researchers to privately share their analyses with us for micropatching.