Exploit released for new Windows Server "WinReg" NTLM Relay attack

Proof-of-concept exploit code is now public for a vulnerability in Microsoft's Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process.

The vulnerability is tracked as CVE-2024-43532 and takes advantage of a fallback mechanism in the Windows Registry (WinReg) client implementation that relies on old transport protocols if the SMB transport is not present.

An attacker exploiting the security issue could relay NTLM authentication to Active Directory Certificate Services (ADCS) to obtain a user certificate for further domain authentication.

The flaw affects all Windows server versions 2008 through 2022 as well as Windows 10 and Windows 11.

Vulnerability and exploitation details

CVE-2024-43532 stems from how Microsoft's Remote Registry client handles RPC (Remote Procedure Call) authentication during certain fallback scenarios when SMB transport is unavailable.

When this happens, the client switches to older protocols like TCP/IP and uses a weak authentication level (RPC_C_AUTHN_LEVEL_CONNECT), which doesn't verify the authenticity or integrity of the connection.

An attacker could authenticate to the server and create new domain administrator accounts by intercepting the NTLM authentication handshake from the client and forwarding it to another service, such as the (ADCS).

Exchange between client and relay server during an NTLM authentication relay attack within an RPC session.
Exchange during an NTLM authentication relay attack.
Source: Akamai

Successfully exploiting CVE-2024-43532 results into a new way to carry out a NTLM relay attack, one that leverages the WinReg component to relay authentication details that could lead to domain takeover.

Some threat actors have used NTLM relay attack methods in the past to take control of Windows domains. One example is the LockFile ransomware gang, who targeted organizations various organizations in the U.S. and Asia using PetitPotam shortly after it was discovered.

The vulnerability was discovered by Akamai researcher Stiv Kupchik, who disclosed it to Microsoft on February 1. However, Microsoft dismissed the report on April 25 "as documentation issue."

In mid-June, Kupchik resubmitted the report with a better proof-of-concept (PoC) and explanation, which led to Microsoft confirming the vulnerability on July 8. Three months later, Microsoft released a fix.

The researcher has now released a working PoC for CVE-2024-43532 and explained the exploitation process, from creating a relay server to obtaining a user certificate from the target, during the No Hat security conference in Bergamo, Italy.

Akamai's report also provides a method to determine if the Remote Registry service is enabled on a machine as well as a YARA rule to detect clients that use a vulnerable WinAPI.

The researchers also recommend using Event Tracing for Windows (ETW) to monitor for specific RPC calls, including those related to the WinReg RPC interface.

Related Articles:

Critical bug in EoL D-Link NAS devices now exploited in attacks

D-Link won’t fix critical flaw affecting 60,000 older NAS devices

Palo Alto Networks warns of firewall hijack bugs with public exploit

Critical Progress WhatsUp RCE flaw now under active exploitation

Hackers targeting WhatsUp Gold with public exploit since August