back to article Windows' authentication 'flaw' exposed in detail

Security researcher "dfirblog" has forensically examined what he calls a "devastating" flaw in Windows' Kerberos authentication system. The vulnerability cannot be fixed, and the only solution is to use Microsoft's Credential Guard program to prevent passwords from being stored in memory, according to his extensive blog post …

Silver badge

Ouch, same Slurp different day.

7
14
Anonymous Coward

"same Slurp different day."

What's Google got to do with this?

9
8

RE: a_yank_lurker

Some people are very suggestible.

0
1
Anonymous Coward

Re: Some people are very suggestible.

Indeed, they think this ancient flaw is worth commenting on, but have nothing to say about this http://www.theregister.co.uk/2015/12/15/joomla_vuln/ 8 year old sql injection bug in one of the most popular open source CMSs...

You hack it by changing your user agent? By the reaction here you'd think it's easier to get admin on a windows domain than to spoof your user agent.

1
7
Anonymous Coward

Re: Some people are very suggestible.

Wait your honestly comparing a friggin operating system user authentication massive hole (mainly for enterprise no less) to some totally optional userland component probably found on less than %5 (being very generous) of the installs out there? Carry on. (For the record yes there have been some pretty major security lapses in open source as well but this is a relatively lame example).

6
2
Bronze badge

Re: Some people are very suggestible.

I imagine the difference that accounts for the equivalence, is exposure.

The first step in exploiting a vulnerability is obtaining access via the required vector.

Joomla web sites are... well... web sites. Usually very accessible, being on the web and all.

The flaw in the Windows authentication system on the other hand (as far as I can tell from the register coverage at least) would seem to require physical access to the machine (the contents of memory being involved).

Could be wrong tho.

1
0
Silver badge

Re: Some people are very suggestible.

CMS web sites are the diseased prostitutes of internet servers in general. Wordpress is even worse. A big bag of hurt that makes even Java and Flash look secure by comparison. I do see your point how context matters but being as I am not responsible for any internet facing servers I tend to be much more worried about desktop security (mostly mine).

0
0

This "news" is over year old. Mimikatz did this long time ago. Not sure why this is in headlines again.

0
0
Silver badge

Imagine that

Shocked. Shocked I tell you!

15
2

So, the final paragraph essentially is saying, "Upgrade to Microsoft's latest desktop OS and Server software, trust us, enable these new untested doohickies and pray". Stuff starts hitting the fan pretty shortly...

Man, I'm getting tired of this... Between crap security patches and crap protocol implementation, I'm glad my other system is a Linux box... Time to give Winders a vacation, perhaps retirement.

26
21
Anonymous Coward

Well, at least on Linux, Kerberos is an option rather than a requirement.

Linux has its own flaws though.

25
5

That's idiotic

When Windows 2000 came out with Active Directory, would you be saying, "Oh look, of course Microsoft's answer to the unmanageability of multiple and large domains is to upgrade to their latest desktop and server, trust us, enable these new untested doohickies and pray"? Every OS version has added new management tools and new security protections, I don't know why that's such a hard concept to grasp.

12
4
LDS
Silver badge

In Windows Kerberos is a requirement only if Active Directory is enabled - otherwise it just uses NTLM for authentication which is even worse. Anyway, even in Linux as soon as you have more than three machines and users you need to setup something to authenticate without just relying on local passwd files...

6
0
Anonymous Coward

But the paragraph "by using the password associated with a disabled username (krbtgt). That password is rarely changed, making it possible to bypass the authentication system altogether" seems to suggest the mitigation is that you just change the password for this secret user to something other than default

Is this not the case or would this break authentication across the whole directory?

7
0

Resetting the password

It's not a one-click process, but Microsoft has a tool to do all the hard work for you:

https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/

You have to reset it twice, but if you do that, it won't replicate; the script just waits until everyone's on the same page to do it again. You could conceivably set this to run every so often during lulls.

7
0
Silver badge
WTF?

Re: Resetting the password

That KRBTGT Account Password Reset Script article is almost a year old, and seems to state what this Register article states. So what is actually new here?

8
0
Vic
Silver badge

at least on Linux, Kerberos is an option rather than a requirement.

AIUI, this isn't a problem with Kerberos per se, it's a problem with the way it is used on Windows.

Unless I've misunderstood the article, Kerberos on other OSes is unaffected.

Vic.

2
0
Linux

Kerberos

Does this flaw extend to other implementations of Kerberos, such as the ones used by Unix and Linux?

0
0
Bronze badge

"Kerberos on other OSes is unaffected."

That would be on other OSes thatdon't have disused or disabled accounts, and clear key hashes from memory.

On the bases of repeated reports over the last 5 years, BSD and Linux based systems have been very slow to maintain proper memory sanitation (clearly due to the fact that Windows was forced into attempts at memory sanitation much earlier).

And chances are high the many people have disused or disabled accounts.

So although this particular account is a Windows account, generically it's the kind of fault you'd expect to see on many *nix systems.

Except, of course, that most *nix system don't use network authentication, so they don't use Kerberos, so the "password/key recovery from memory" failures we've seen in the last couple of years have been in local authentication.

1
1
Silver badge

Well, Ain't that dandy!

Article title:

"'Devastating' flaw found in Windows' authentication system"

The flaw:

"The krbtgt user is created when the system is first installed and is inactive, so it can remain untouched on a system for years – providing ready access to a hacker."

Opening of final paragraph:

"Dfirblog notes: "Mitigation of most of these attacks is not possible, as this is simply how Kerberos works in the Windows environment"

Ouch! So it works on Windows by automatically installing a backdoor? Who insisted on that feature, I wonder?

25
4
Bronze badge

Re: Well, Ain't that dandy!

Who knew? Practically everyone that actually worked with Kerberos.

Kerberos was never intended to be an authorization service. Not designed for it, and was never implemented that way... Until MS broke the protocol and tried to make it an authorization service.

And still using the insecure NTLM passwords... Guess what, no security.

11
12

Re: Well, Ain't that dandy!

From the MIT site:

Kerberos is a network authentication protocol

So what, exactly, is it supposed to be, in your world? Or are you quibbling about the semantics of "service" vs "protocol"?

26
6
Silver badge
Headmaster

Re: Well, Ain't that dandy!

Pardon me, but isn't the difference between 'authorisation' and 'authentication'

A passport tells you who I am. Its authentication. It doesn't let me enter your country. That takes a Visa,. That's authorisation.

.

38
2

Re: Well, Ain't that dandy!

Article: "Security researcher @dfirblog has discovered what he calls a devastating flaw in Windows' Kerberos authentication system."

oldcoder: "Who knew? Practically everyone that actually worked with Kerberos. Kerberos was never intended to be an authorization service."

That's untrue, but oldcoder played the "everyone knows this" card and then switched terminology, so I'm going to explain.

First, this exploit is with authentication. Kerberos tickets are used to authenticate. The Kerberos Ticket Granting Ticket (tgt) is a function of the Kerberos Authentication Server. Authentication means "are you really that person you claim to be?" Authorization means "is this person allowed to do X?" Just because I can authenticate that I'm a city resident, that does not necessarily authorize me to park my car in the middle of City Hall.

Second, Kerberos manages both Authentication and Authorization. You can authenticate as a valid user in that realm. You can request authorization on a certain client computer (maybe to login over ssh, or to sudo). These are all handled by the KDC.

Explanation of Authentication, Authorization, and Auditing (AAA) https://www.pingidentity.com/en/resources/articles/authentication-authorization-audit-logging-account-management.html

Kerberos overview: http://www.kerberos.org/software/tutorial.html

35
0
LDS
Silver badge

Re: Well, Ain't that dandy!

Just, you can get a visa without a passport (Visa is a credit card, BTW - sometimes money help to get a visa, though...).

Authorization in Windows is much more complex - it relies on Active Directory, local security and objects ACLs... just, before being able to match a user agains the auth data, you need to ensure the user is authenticated.

0
22

Re: Well, Ain't that dandy!

A visa is permission to enter, remain on, and leave foreign soil. Visa the company took its name from this, as in your visa to the retail world. (Or your visa to the debt world, only no one's going to revoke that.)

7
0
Anonymous Coward

Re: Well, Ain't that dandy!

Visa is a credit card,

Comical, looks like you never left Royston Vasey, try getting out in the World.

2
5
Flame

Re: Well, Ain't that dandy!

Authorization in Windows is much more complex an unholy mess

FTFY.

7
8
LDS
Silver badge

Re: Well, Ain't that dandy!

Actually, it's most of the *nixes authorization schemes that is a utterly unable to cope with actual needs, still being designed for needs of forty years ago... when computer had a few highly vetted users and a few processes running... it's no surprise that the more modern ones are much more alike the Windows one. A complex world needs a complex solution....

4
16
LDS
Silver badge

Re: Well, Ain't that dandy!

Funny, maybe you're also a fan of case-senstive OS and languages...

2
17
LDS
Silver badge

Re: Well, Ain't that dandy!

Ooops, I wanted to write "you CAN'T get a visa without a passport" (usually, some exceptional cases may exist) - meaning you can't get authorization without being authenticated first - that's what Kerberos does in Windows - to be matched against any authorization mechanism you need first to present a valid Kerberos ticket which can be verified, than the login will be matched against any authorization backend the application uses (as long as it is integrated with the Kerberos system). RADIUS for example can be integrated with Kerberos for SSO logins - but Kerberos does only the authentication part, authorization is handled by the RADIUS database. Same for Active Directory.

0
3
Silver badge
Facepalm

Re: Well, Ain't that dandy!

Actually, it's most of the *nixes authorization schemes that is a utterly unable to cope with actual needs

Are you cereal?

Give me link to a gripewrite, please.

4
1
Silver badge

A visa is permission to enter, remain on,

Not in the USA it ain't. The visa get you in the door. What keeps you in the country is the I94.

Not to be confused ith the I95, which gets you from New York to Disney World.

4
0
Bronze badge

Re: Well, Ain't that dandy!

D.A.M.> Apparently Case Insensitivity in systems is good and right, in the same vein that setting the localtime into the hardware clock during DST changes is also practical and sensible.

5
0
Gold badge

Re: Well, Ain't that dandy!

"in the same vein that setting the localtime into the hardware clock"

The connection here is completely lost on me, unless you felt that case sensitivity was a little too debatable for your rhetorical needs and so you needed to hitch your argument onto a more blatant straw man.

2
0
Silver badge

Re: A visa is permission to enter, remain on,

> I95, which gets you from New York to Disney World.

Wow taking the I95 that far would definitely quality for an event in the pain Olympics. That drive is the repeated dick punch of drives at least when it comes to the US.

0
0

Re: Well, Ain't that dandy!

Visa /= visa...

0
0
Anonymous Coward

Re: A visa is permission to enter, remain on,

"Wow taking the I95 that far would definitely quality for an event in the pain Olympics. That drive is the repeated dick punch of drives at least when it comes to the US."

And be sure to start on the 495 on any weekday in the late afternoon!

0
0

Re: A visa is permission to enter, remain on,

> I95, which gets you from New York to Disney World.

Wouldn't you fly that?

0
0
Bronze badge

Re: Well, Ain't that dandy!

"setting the localtime into the hardware clock during DST changes"

I can only guess, given that this is the comment section of "The Register", that you think that comment somehow applies to something like Windows or OSX or some Linux distribution.

But it doesn't. Not to Windows, not to OSX, not to any common Linux distribution.

0
0
Anonymous Coward

@AC Re: Well, Ain't that dandy!

Itzman: "That takes a Visa,"

LDS: "Visa is a credit card,"

AC: "Comical, looks like you never left Royston Vasey, try getting out in the World."

Capital "V" visa, except if the first word in a sentence, is incorrect when referring to the stamp put on your passport. That "visa" should never, in English, be capitalized unless it's the first word of a sentence.

The credit card "Visa" needs to have an upper case "v" no matter where it occurs in a sentence.

LDS made the mistake of putting "Visa" as the first word of the sentence, where all forms of the word must be capitalized; so part of his point concerning incorrect capitalization and its somewhat humorous result was lost.

"Comical, looks like you never left Royston Vasey, try getting out in the World."

Try being literate. (And that should be a lower case "w" in "world". And your second comma should have been a semi-colon.)

0
1
Bronze badge

Re: Well, Ain't that dandy!

"But it doesn't. Not to Windows, not to OSX, not to any common Linux distribution"

This argument is old and dusty, and where one was argued the other was argued, and yes, Windows most certainly did this, as my GMT dual-boot Linux repeatedly attested.

Yesterday I *genuinely* caught someone accidentally changing something to use an O instead of a 0. They were annoyed. Why does it matter?!

1
1
Silver badge

Wouldn't you fly that?

I'll take a two day drive in a vehicle I know over the nonsensical bread-and-circuses check-in horseshirt, baggage limitations and need to hire a car at the other end (c/w Orlando's ridiculous views on airport tax zones) every single time.

You are free to wander shoeless through the x-ray machine with one checked bag included in the ticket price, and deal with the shuttle bus if you want.

Me, I'll vote with my feet and do my part to drive the airlines and airport management vendors into sense-inducing bankrupcy.

0
0
Silver badge
Megaphone

Re: Wouldn't you fly that?

Not denying flying sucks donkey balls but so does that drive and pretty much all travel around the northeast corridor of the US which is why I say most of the people that live there have never lived anywhere else. Their ancestors never wandered far from the boat that dropped them off and so now they are genetically disposed to live in overpriced tiny houses/apartments/studios with millions of other similar disposed ants.

0
0
Bronze badge

Re: Well, Ain't that dandy!

"The connection here is completely lost on me"

Same vein. Mindspace neighbours. They were argued by the same people in the same places with the same mindset with the same justifications.

"a little too debatable for your rhetorical needs and so you needed to hitch your argument onto a more blatant straw man."

Interestingly violent labelgun reaction to an observed truth. So, "F00" vs "foo", and hardware clock/OS DST parity - where do you stand?

1
0
Silver badge

choices

Some people want security, others just wish for it.

5
0
Silver badge

bring on the downvotes

>Some people want security

http://www.openbsd.org/

https://www.mtier.org/solutions/apps/openup/ (simple command for easy security patching of OpenBSD base system).

There you go both are FOSS.

1
0
Silver badge

Re: bring on the downvotes

The only other internet enabled general operating system that generates critical CVEs at a lower rate doesn't run on x86 (yet) and is most definitively not FOSS (OpenVMS).

0
0
Silver badge

subheading

I particularly liked the sub heading for this article....made me chuckle!

2
0
Silver badge

And since you need physical access to the server/network we're all doomed. Not.

1
6

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017