New Exploit Unveiled for Windows Server ‘WinReg’ NTLM Relay Attack

October 22, 2024

Proof-of-concept exploit code has been made public for a vulnerability in Microsoft's Remote Registry client that could potentially allow an attacker to seize control of a Windows domain by downgrading the security of the authentication process. The vulnerability, identified as CVE-2024-43532, exploits a fallback mechanism in the Windows Registry (WinReg) client implementation that reverts to older transport protocols when the SMB transport is absent. This could allow an attacker to relay NTLM authentication to Active Directory Certificate Services (ADCS) to acquire a user certificate for further domain authentication.

This flaw is applicable to all Windows server versions from 2008 through 2022, as well as Windows 10 and Windows 11. The vulnerability originates from the way Microsoft's Remote Registry client manages RPC (Remote Procedure Call) authentication during certain fallback scenarios when SMB transport is not available. In such cases, the client switches to older protocols like TCP/IP and uses a weak authentication level (RPC_C_AUTHN_LEVEL_CONNECT), which does not validate the authenticity or integrity of the connection.

An attacker could then authenticate to the server and create new domain administrator accounts by intercepting the NTLM authentication handshake from the client and forwarding it to another service, such as the ADCS. Successfully exploiting CVE-2024-43532 provides a new method for conducting an NTLM relay attack, using the WinReg component to relay authentication details that could lead to domain takeover. Threat actors such as the LockFile ransomware gang have previously used NTLM relay attack methods to take control of Windows domains.

The vulnerability was found by Akamai researcher Stiv Kupchik, who reported it to Microsoft on February 1. However, Microsoft initially dismissed the report on April 25 as a documentation issue. In mid-June, Kupchik resubmitted the report with a more detailed proof-of-concept and explanation, leading to Microsoft's confirmation of the vulnerability on July 8. A fix was released by Microsoft three months later. The researcher has now made public a working proof-of-concept for CVE-2024-43532 and detailed the exploitation process, from setting up a relay server to acquiring a user certificate from the target, during the No Hat security conference in Bergamo, Italy.

The report from Akamai also provides a method to determine if the Remote Registry service is enabled on a machine as well as a YARA rule to detect clients that use a vulnerable WinAPI. The researchers also suggest using Event Tracing for Windows (ETW) to monitor for specific RPC calls, including those related to the WinReg RPC interface.

Latest News

• Active Exploitation of Samsung Zero-Day Vulnerability: An Alert from Google's Threat Analysis Group
• VMware Issues New Security Update for Critical vCenter Server RCE Vulnerability
• F5 Patches High-Severity Vulnerabilities in BIG-IP and BIG-IQ Products
• New Speculative Execution Attacks Bypass Spectre Mitigations on Intel and AMD CPUs on Linux
• Microsoft Uncovers 'HM Surf' Vulnerability in macOS TCC Framework