Abusing Mixed Vendor Kerberos Stacks, research by Ceri Coburn

Introduction

Kerberos is an authentication protocol used by both Windows and Unix/Linux-based operating systems. It facilitates mutual authentication of principles within a common realm, such as users or computers. While Kerberos handles authentication, authorization is left to the implementer of the specific Kerberos stack. In the context of Windows Active Directory, the authentication and authorization processes are crucial for ensuring secure access to resources.

Authentication and Authorization in Active Directory

Active Directory utilizes a complex search algorithm for authenticating principles, using multiple attributes within LDAP to find the user being authenticated. Authorization decisions are based on the Privileged Attribute Certificate (PAC) embedded inside the Kerberos ticket. However, collisions in principle names have led to vulnerabilities and privilege escalations, highlighting the importance of robust authentication and authorization mechanisms.

Spoofing Attacks and Vulnerabilities

Previous vulnerabilities, such as the Sam the Admin group of CVEs, exposed weaknesses in the authentication process, allowing attackers to request a Ticket Granting Ticket (TGT) without the PAC present. This led to privilege escalations by manipulating the search algorithm to find a spoofed account before the real account within Active Directory. Microsoft implemented fixes to address these vulnerabilities, including disallowing the request of PACless TGTs and hardening the Sam account name fields.

New Spoofing Vector

Despite the hardening of the Sam account name, a new spoofing vector has emerged, focusing on the User Principle Name (UPN) attribute within Active Directory. By setting an invalid UPN without a domain suffix, attackers can manipulate the search algorithm to find the spoofed account before the real account, leading to potential privilege escalations.

Mitigating the New Spoofing Vector

To mitigate this new spoofing vector, Microsoft could consider hardening the UPN by ensuring all UPNs have a domain suffix and crosschecking the UPN against the Sam account name to prevent collisions. Defenders can also consider disabling GSSAPI-based authentication for systems joined to an Active Directory realm or monitoring UPN updates that do not conform to a valid UPN.

Implications for Linux and Unix-Based Systems

While Windows relies on the PAC for authorization, Linux and Unix-based systems leverage the GSSAPI for Kerberos authentication, which may handle permissions differently. This creates potential vulnerabilities for systems such as SSH and Postgres databases, which may be susceptible to spoofing attacks if they do not properly validate the username extracted from the Kerberos ticket.

Conclusion

Understanding the intricacies of Kerberos authentication and authorization in Active Directory is crucial for maintaining a secure network environment. As new spoofing vectors emerge, organizations need to stay vigilant and implement robust security measures to protect against potential attacks. By addressing vulnerabilities and implementing mitigations, organizations can strengthen their defenses and ensure the integrity of their authentication and authorization processes.