CVE-2014-6324
published 2014-11-18CVE-2014-6324: The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows…
PriorityP191high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
87.45%
99.7th percentile
The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
filenameTGT_%s@%s.ccache
snort
alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_24, reviewed_at 2024_03_26;)
bytes
|a0 07 03 05 00 50 80 00 00|
bytes
|a8 05 30 03 02 01 17|
- →Monitor TCP port 88 (Kerberos) traffic for the two byte sequences |a0 07 03 05 00 50 80 00 00| and |a8 05 30 03 02 01 17| appearing together in the same flow toward a KDC — this is the ET signature for GoldenPac/MS14-068 exploitation in progress.
- →Hunt for MIT Kerberos Credential Cache (.ccache) files with the naming pattern TGT_<user>@<realm>.ccache on disk; these are produced by the MS14-068 exploit and can be loaded with Mimikatz to perform pass-the-ticket attacks. ↗
- →The exploit sends a TGS-REQ with a forged PAC (pac_request=False) and a checksum type 0x17 (RC4-HMAC, keytype 23). Kerberos events showing a TGS issued with an unexpected PAC checksum algorithm for a non-privileged user should be investigated. ↗
- →The Metasploit module exports a forged-PAC TGT to a MIT Kerberos Credential Cache file intended to be loaded via Mimikatz on Windows. Detect Mimikatz loading .ccache files (kerberos::ptc) following anomalous Kerberos TGT requests from non-privileged accounts. ↗
- ·The Snort/ET rule uses a 'threshold: type limit, track by_src, seconds 60, count 1' — ensure your IDS/IPS threshold configuration is tuned appropriately so single-packet exploit attempts are not suppressed.
- ·The exploit defaults to RC4-HMAC (keytype 23) for the forged PAC checksum. Environments that have disabled RC4-HMAC and enforce AES-only Kerberos may reduce exposure, but the vulnerability is in PAC signature verification and patching (MS14-068) is the authoritative fix. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j28h-3q4c-49h2: The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,
ghsa_unreviewed·2022-05-14
CVE-2014-6324 [HIGH] GHSA-j28h-3q4c-49h2: The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1,
The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."
VulnCheck
Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability
vulncheck·2014·CVSS 8.8
CVE-2014-6324 [HIGH] CWE-264 Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability
Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability
The Kerberos Key Distribution Center (KDC) in Microsoft allows remote authenticated domain users to obtain domain administrator privileges.
Affected: Microsoft Kerberos Key Distribution Center (KDC)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2014-6324; https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf; https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0; https://community.broadcom
CISA
Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability
cisa·2022-03-25·CVSS 8.8
CVE-2014-6324 [HIGH] CWE-264 Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability
Vulnerability: Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability
Affected: Microsoft Kerberos Key Distribution Center (KDC)
The Kerberos Key Distribution Center (KDC) in Microsoft allows remote authenticated domain users to obtain domain administrator privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-6324
Remediation Due Date: 2022-04-15
Suricata
ET EXPLOIT Possible GoldenPac Priv Esc in-use
suricata·2014-12-12·CVSS 8.8
CVE-2014-6324 [HIGH] ET EXPLOIT Possible GoldenPac Priv Esc in-use
ET EXPLOIT Possible GoldenPac Priv Esc in-use
Rule: alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_24, reviewed_at 2024_03_26;)
Exploit-DB
Microsoft Windows Kerberos - Privilege Escalation (MS14-068)
exploitdb·2014-12-05
CVE-2014-6324 Microsoft Windows Kerberos - Privilege Escalation (MS14-068)
Microsoft Windows Kerberos - Privilege Escalation (MS14-068)
---
#!/usr/bin/python
# MS14-068 Exploit
# Author
# ------
# Sylvain Monne
# Contact : sylvain dot monne at solucom dot fr
# http://twitter.com/bidord
import sys, os
from random import getrandbits
from time import time, localtime, strftime
from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache
from kek.crypto import generate_subkey, ntlm_hash, RC4_HMAC, HMAC_MD5
from kek.krb5 import build_as_req, build_tgs_req, send_req, recv_rep, \
decrypt_as_rep, decrypt_tgs_rep, decrypt_ticket_enc_part, iter_authorization_data, \
AD_WIN2K_PAC
from kek.pac import build_pac, pretty_print_pac
from kek.util import epoch2gt, gt2epoch
def sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, targ
Metasploit
MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
metasploit
MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz help. It has been tested successfully on Windows 2008.
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
CTF
README
ctf_writeups·CVSS 9.8
[CRITICAL] README
# Boot to root CTFs
Walkthroughs and notes of 'boot to root' CTFs mostly from VulnHub that I did for fun. I like to use vulnerable VMs from VulnHub (in addition to the ones I create) to organize hands-on penetration testing training sessions for junior security auditors/consultants :-)
### >> Classic pentest methodology to do a Boot2root CTF upload a Webshell)
➤ Clear-text passwords stored in 'public' website pages, configuration files, log files
➤ ...
2. Exploiting unpatched known vulnerabilities
➤ Web server (e.g. Apache Struts RCE: CVE-2017-12611/CVE-2017-9805/CVE-2017-9791, JBoss Java Deserialization RCE)
➤ Bash & web server CGI (e.g. Shellshock RCE CVE-2014-6271/CVE-2014-7169)
➤ Web CMS (e.g. Drupalgeddon2 RCE CVE-2018-7600)
➤ Web framework (e.g. PHP CGI RCE CVE-2012-1823)
➤ FTP s
Threat Intel
Threat Group-3390 (Threat Group-3390, Earth Smilodon, TG-3390)
threat_intel·CVSS 9.8
[CRITICAL] Threat Group-3390 (Threat Group-3390, Earth Smilodon, TG-3390)
# Threat Actor Profile: Threat Group-3390
ATT&CK ID: G0027
Also known as: Threat Group-3390, Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse, Linen Typhoon
Suspected origin: China
## Overview
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)
## Techniques (TTPs)
### Resource Development
- T1608.001 Upload Malware
Usage: Threat Group-3390 has hosted mal
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspxhttp://marc.info/?l=bugtraq&m=142350249315918&w=2http://secunia.com/advisories/62556http://www.securityfocus.com/bid/70958http://www.securitytracker.com/id/1031237http://www.us-cert.gov/ncas/alerts/TA14-323Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspxhttp://marc.info/?l=bugtraq&m=142350249315918&w=2http://secunia.com/advisories/62556http://www.securityfocus.com/bid/70958http://www.securitytracker.com/id/1031237http://www.us-cert.gov/ncas/alerts/TA14-323Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-6324
2014-11-18
Published
2022-03-25
Added to CISA KEV
Exploited in the wild