Proof-of-concept exploit code published for new Kerberos Bronze Bit attack

The Kerberos Bronze Bit attack can allow intruders to bypass authentication and access sensitive network services.
Written by Catalin Cimpanu, Contributor

Proof-of-concept exploit code has been published this week for a new attack technique that can bypass the Kerberos authentication protocol in Windows environments and let intruders access sensitive network-connected services.

Named the Bronze Bit attack, or CVE-2020-17049, patching this bug caused quite the issue for Microsoft already.

The OS maker delivered an initial fix for Bronze Bit attacks in the November 2020 Patch Tuesday, but the patch caused authentication issues for Microsoft's customers, and a new update had to be deployed this month to fix the previous issues.

On Wednesday, a day after Microsoft delivered the final patches, Jake Karnes, a security engineer at NetSPI, published a technical breakdown of the vulnerability so network defenders can understand how they are vulnerable and why they need to update, despite the patching process' rocky start.

Accompanying his theoretical and practical breakdowns was also proof-of-concept exploit code that system administrators can use to check and see if the patch was installed correctly.

Golden, Silver, and now the Bronze ticket attack

According to Karnes, the Bronze Bit attack is another variation of the older and widely known Golden Ticket and Silver Ticket attacks against Kerberos authentication.

All three are post-compromise techniques that can be used after an attacker has breached a company's internal network.

An attacker who infected at least one system on a network and extracted password hashes can use those hashes to bypass and forge credentials for other systems on the same network, as long as the network relies on the Kerberos authentication protocol, which has been included in all standard Windows versions since 2000.

The difference between Golden Ticket, Silver Ticket, and now the Bronze Bit attacks is in what parts of the Kerberos authentication protocol attackers go after.

In the case of Bronze Bit, attackers target the S4U2self and S4U2proxy protocols that Microsoft added as extensions to the Kerberos protocol.

"The attack uses the S4U2self protocol to obtain a service ticket for a targeted user to the compromised service, using the service's password hash," Karnes says.

"The attack then manipulates this service ticket by ensuring its forwardable flag is set (flipping the "Forwardable" bit to 1). The tampered service ticket is then used in the S4U2proxy protocol to obtain a service ticket for the targeted user to the targeted service," he adds.

Image: Jake Karnes

Karnes says the attack was possible because the portion of the Kerberos service ticket where the Forwardable flag resides is not signed, and the Kerberos process is not able to detect service tickets that have been tampered with.

"This exploit bypasses 2 existing protections for Kerberos delegation, and provides an opportunity for impersonation, lateral movement, and privilege escalation," the researcher added.

Karnes also the attack's name comes from the Golden Ticket and Silver Ticket attacks, which use similar principles, but is named Bronze Bit instead of Bronze Ticket because the attack relies on flipping just a single bit.

Editorial standards