Security researchers have unearthed a sophisticated method of exploiting the Dynamic Host Configuration Protocol (DHCP) administrators group to escalate privileges within Windows domains. The technique, known as “DHCP Coerce,” enables attackers to potentially compromise entire networks by leveraging legitimate privileges. The vulnerability focuses on the DHCP service, a cornerstone of network administration providing automated IP address assignment and network connection management. However, this convenience is overshadowed by the potential for abuse, as attackers can exploit specific configurations and permissions to elevate their privileges within a Windows domain.
The exploitation process involves several technical steps, including manipulating DHCP settings and utilizing malicious scripts to gain elevated privileges. Attackers, upon achieving elevated privileges, can potentially take over the entire domain, accessing and manipulating data remotely. The remote exploitability of this vulnerability further compounds its severity, demonstrating that even well-intentioned access controls can be manipulated maliciously within Windows domains.
The DHCP Coerce technique specifically exploits the DHCP administrators group, an Active Directory (AD) group responsible for managing DHCP servers. Despite its intended limited permissions for querying and modifying DHCP service configurations, the group’s privileges can be abused to execute code on DHCP servers, potentially leading to a domain takeover when the DHCP server is installed on a Domain Controller (DC). This significant vulnerability underlines the critical need for robust network security measures, as attackers can exploit DHCP options, such as “Proxy autodiscovery,” to configure a web proxy and compromise client credentials.
