samAccountName Spoofing CVE-2021–42278

CVE-2021–42278 is a privilege escalation vulnerability exploiting domain controllers KDC and TGT system. The exploit is able to remotely escalate a user from user to system using valid user credentials. Microsoft patched the vulnerability on November 9th 2021. Step by step rundown of the exploit:

  1. A new computer is added to the domain
  2. The new computer is renamed to the name of the domain controller with the $ sign removed.
  3. A TGT is requested using the new computer name
  4. S4U2SELF is used to request a new TGT
  5. The new ticket can be used to own the domain controller

An automated tool has been created by IMpacket and can be downloaded from:

https://github.com/WazeHell/sam-the-admin

POC: