GMR-2 Satellite Phones / Windows RDP and Relay Attack 0-Day

Windows RDP and Relay Attack Zero-Day

The researchers at Preempt, innovators in next gen firewalls discovered 2 different zero-day vulnerabilities in the Windows NTLM security protocols. The result of both zero-days, ends in attackers creating new domain administrator accounts with elevated privileges allowing control of the whole domain.

ZERO-DAY #1

The first zero-day lies within the Lightweight Directory Access Protocol (LDAP) from the NTLM relay.  LDAP inadequately protects against NTLM relay attack even with the LDAP signing built-in as a defensive measure.  Granted the LDAP signing does protect against Man-in-the-middle(MitM), but does nothing to prevent credential forwarding.  The result is an attacker who has SYSTEM privileges can wait for an incoming NTLM session and use that to preform normal LDAP operations including updating domain objects “on behalf” of the NTLM user.  Another consideration is the Windows Authentication API(SSPI). The protocols that use this SSPI can be downgraded to a session using NTLM which opens the doors for more potential malicious activity.  The result would then be every connection like SMB, WMI, SQL, HTTP from any domain admin would result in the attacker creating a domain admin account gaining full control of the entire domain.

Example Relay Attack:

ZERO-DAY #2

The second Zero-Day addressed by Patch Tuesday today deals again with the NTLM protocol. The vulnerability this time affects the Remote Desktop Protocol Restricted-Admin mode. This Restricted Admin mode allows normal users to connect to a remote computer without having to provide an authenticated password.  When first brought to Microsoft’s attention, it was assigned CVE-2017-8563 but downplayed the issue as just a “bug” and labeled as known issue with a best practices recommendation of re-configuring network.  The issue with this is an authenticated session an attacker could downgrade the session to NTLM and preform the LDAP relay allowing once again for creation of domain admin account allowing for processes to  be run in an elevated context.

GMR-2

Three researchers, Jiao Hu, Ruilin Li and Chaojing Tang of the National of Defense Technology, in Changsha, China discovered a vulnerability in the GMR-2 (GEO-Mobile Radio version 2) encryption algorithm used in satellite phone.  They found that attacking a 3.3Ghz satellite stream with thousands of inversion attacks which slowly produced the 64-bit encryption key. These attacks happen so fast that the researchers averaged 0.02s of decryption time. This allowed for “real-time” eavesdropping on live conversations. The white paper released entitled “A Real-time Inversion Attack on the GMR-2 Cipher Used in the Satellite Phones” goes into depth and specifics on the process used.  Satellite phones are crucial equipment, often used in war zones, by intelligence agents, dissidents, and more. Currently this encryption GMR-2 cipher is used in many phones including those that utilize the well known British satellite telecom company Inmarsat.

Reversing the cipher: