Skip to content

Latest commit

 

History

History
53 lines (40 loc) · 2.22 KB

CVE-2020-1472.md

File metadata and controls

53 lines (40 loc) · 2.22 KB

CVE-2020-1472: ZeroLogon

The code example below is vulnerable to ZeroLogon

using System;
using System.Security.Cryptography;

public static byte[] CreateNetlogonCredential(byte[] clientNonce, byte[] serverNonce, string computerName)
{
    // Concatenate the client and server nonces with the computer name
    byte[] data = new byte[clientNonce.Length + serverNonce.Length + computerName.Length];
    Array.Copy(clientNonce, 0, data, 0, clientNonce.Length);
    Array.Copy(serverNonce, 0, data, clientNonce.Length, serverNonce.Length);
    Array.Copy(System.Text.Encoding.ASCII.GetBytes(computerName), 0, data, clientNonce.Length + serverNonce.Length, computerName.Length);

    // Create an HMAC-SHA1 hash of the concatenated data using an empty key
    HMACSHA1 hmac = new HMACSHA1();
    byte[] hash = hmac.ComputeHash(data);

    // Return the hash as the Netlogon credential
    return hash;
}

Why it's vulnerable?

In this code, we are implementing a function that creates a Netlogon credential, which is used in the authentication process for Windows domain controllers. The vulnerability in this code comes from the fact that an empty key is used to create the HMAC-SHA1 hash of the concatenated data, making it vulnerable to a cryptographic attack that can be used to bypass the authentication process.

How to fix?

Ensure that a non-empty key is used to create the HMAC-SHA1 hash.

using System;
using System.Security.Cryptography;

public static byte[] CreateNetlogonCredential(byte[] clientNonce, byte[] serverNonce, string computerName, byte[] key)
{
    // Concatenate the client and server nonces with the computer name
    byte[] data = new byte[clientNonce.Length + serverNonce.Length + computerName.Length];
    Array.Copy(clientNonce, 0, data, 0, clientNonce.Length);
    Array.Copy(serverNonce, 0, data, clientNonce.Length, serverNonce.Length);
    Array.Copy(System.Text.Encoding.ASCII.GetBytes(computerName), 0, data, clientNonce.Length + serverNonce.Length, computerName.Length);

    // Create an HMAC-SHA1 hash of the concatenated data using the provided key
    HMACSHA1 hmac = new HMACSHA1(key);
    byte[] hash = hmac.ComputeHash(data);

    // Return the hash as the Netlogon credential
    return hash;
}