Micropatches for Kerberos Elevation of Privilege (CVE-2022-33647, CVE-2022-33679)

by Mitja Kolsek, the 0patch Team

 

Update 11/16/2023: Our patch for this vulnerability was general enough to also fix subsequently discovered similar vulnerability in Kerberos, CVE_2023-28224.

September 2022 Windows Updates brought a fix for an elevation of privilege vulnerability in Kerberos protocol, discovered by James Forshaw of Google Project Zero. James published a detailed analysis, and a POC was subsequently added to their Rubeus tool.

Microsoft assigned James' finding two separate CVE IDs, CVE-2022-33647 and CVE-2022-33679, but these really both have the same root cause, namely the fact that Kerberos supported two weak encryption types: RC4-MD4 (type -128) and RC4-HMAC-OLD (type -133).

James demonstrated that downgrading encryption to RC4-MD4 can allow an attacker to extract the Ticket Granting Ticket (TGT) key and use it for requesting a new TGT for the targeted user, which can be used for launching any code on the domain controller as said user.

Microsoft removed support for both weak encryption types from the Kerberos code. Our micropatch, written only for Windows Server 2008 R2 (the only server that didn't get Microsoft's patch) is logically equivalent to Microsoft's:

MODULE_PATH "..\Affected_Modules\kdcsvc.dll_6.1.7601.24499_Srv2008R2_64-bit_NoESU\kdcsvc.dll"
PATCH_ID 1139
PATCH_FORMAT_VER 2
VULN_ID 7509
PLATFORM win64

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x413a8
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    
    code_start
       
        cmp ecx, 0xFFFFFF80  ; is encryption type RC4-MD4?
        je ERROR             ; if so, error out
        cmp ecx, 0xFFFFFF7B  ; is encryption type RC4-HMAC-OLD?
        jne SKIP             ; if so, error out
       
    ERROR:
        mov rax, 0x0         ; rax 0 means "unsupported"
        retn

    SKIP:

    code_end
patchlet_end

 

This video demonstrates the effect of our micropatch. With 0patch disabled, launching the POC against a vulnerable Windows 2008 R2 server provides a Ticket Granting Ticket for server's administrator, which then makes it possible to launch a remote terminal session to the server as that user. With 0patch enabled, RC4-MD4 is no longer accepted and the attack fails.

 

 

This micropatch has already been distributed to all online Windows Server 2008 R2 computers running 0patch Agent with PRO or Enterprise license. To obtain the micropatch and have it applied on your computers along with our other micropatches, create an account in 0patch Central, install 0patch Agent and register it to your account with a PRO or Enterprise subscription. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center. For a trial or demo please contact sales@0patch.com.

We'd like to thank James Forshaw of Google Project Zero for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.