Exploit released for new Windows Server "WinReg" NTLM Relay attack
Proof-of-concept exploit code is now public for a vulnerability in Microsoft's Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process.
The vulnerability is tracked as CVE-2024-43532 and takes advantage of a fallback mechanism in the Windows Registry (WinReg) client implementation that relies on old transport protocols if the SMB transport is not present.
An attacker exploiting the security issue could relay NTLM authentication to Active Directory Certificate Services (ADCS) to obtain a user certificate for further domain authentication.
CVE-2024-43532 stems from how Microsoft's Remote Registry client handles RPC (Remote Procedure Call) authentication during certain fallback scenarios when SMB transport is unavailable.
When this happens, the client switches to older protocols like TCP/IP and uses a weak authentication level (RPC_C_AUTHN_LEVEL_CONNECT), which doesn't verify the authenticity or integrity of the connection.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23951360/STK072_VRG_Illo_N_Barclay_8_netflix.jpg)
