OverviewApplication developers often expose functionality from a Windows login screen. The common functionality needed from a login screen includes password reset mechanisms and VPN onboarding processes.Pre-authentication functionality exposes high-value attack surfaces. An unauthenticated external attacker with network connectivity to the Remote Desktop Service (RDP) on the target host can access the components exposed through the logins screen interface when Network-level Authentication (NLA) is not required.Praetorian has routinely found vulnerabilities within functionality exposed through the extended login interfaces. These vulnerabilities stem from the ability to escape from the intended application user interface and open applications on the host, such as the command prompt.This article will provide two scenarios where Praetorian has identified vulnerabilities within login screen functionality. The first scenario describes a vulnerability Praetorian discovered within a custom-developed password reset application and the second provides commentary on a vulnerability Praetorian discovered within the GlobalProtect VPN client for Windows. We will then conclude the article by discussing how robust security controls and alerting capabilities can allow an organization to defend against these attacks in an effective fashion, even within the context of a zero-day.Example #1: Custom Password Reset ApplicationIn this scenario, Praetorian identified a custom application that allowed the end-user to reset their password by answering security questions from the Windows native login/lock screen. The organization developed this application to reduce the frequency of calls to the helpdesk. For example, a user may reset their password and then forget their password the next day.The application implemented this functionality through spawning an embedded web browser instance. This interface loaded a website, prompting the user to answer previously configured security questions to reset their password.However, an attacker could break out of the embedded browser instance by right-clicking and opening a print dialogue box that an attacker could leverage to open an Explorer window and then open a command prompt. This method is akin to that used to escape Citrix published applications.Since these applications execute within the Windows logon screen, typically through a credential provider plugin, they run with the same privileges as logonui.exe which is NT AUTHORITY\SYSTEM.Since the customer did not implement network segmentation or require NLA to access the Windows login screen, this vulnerability resulted in remote code execution. Our team exploited the vulnerability to move laterally within the environment and eventually completed the attack objective for the engagement.Example #2: GlobalProtect Vulnerability (CVE-2022-0016)A common issue customers face when implementing remote work is facilitating the initial authentication for Active Directory (AD) user accounts as the user is not connected to the network and unable to communicate with domain controllers. This is a recursive problem as users can only perform first-time authentication to their provided laptop when there is connectivity to a domain controller but to obtain connectivity to a domain controller, the user must first authenticate to their laptop computer to launch the VPN client.GlobalProtect provides a solution to this problem through the “Connect Before Logon” functionality. This functionality allows the user to use a restricted version of the GlobalProtect application to first authenticate to the corporate VPN. Authenticating to the VPN provides connectivity to a domain controller which then enables local authentication. While this functionality is beneficial, its implementation introduced some unintended consequences.GlobalProtect spawns an embedded browser window so the user can authenticate against the organization’s identity provider when connecting to a VPN server using SAML for authentication. In certain configurations, this functionality enables an attacker to obtain remote code execution or local privilege escalation using the same methodology as Example #1. This vulnerability affects Windows and MacOS versions of GlobalProtect app 5.2 earlier than GlobalProtect app 5.2.9. Palo Alto Networks has fixed this issue in GlobalProtect app 5.2.9 [2].In an engagement, a customer had implemented robust network segmentation and enabled the “require network-level authentication” setting, preventing the issue from being remotely exploitable within their environment. Additionally, the customer had implemented monitoring for suspicious processes spawned under logonui.exe to detect exploitation of the sticky key’s backdoor technique.The customer also noted the anomalous process tree created when exploiting the vulnerability and quarantined the associated system within 24 hours. An attacker could only use the vulnerability for local privilege escalation instead of remote code execution due to the compensating security controls implemented by the clientConclusionExposing application logic or functionality through the Windows lock screen can often lead to critical security vulnerabilities. However, enabling non-default security hardening settings, implementing defense-in-depth controls such as network segmentation, and developing robust alerting capabilities will significantly improve an organization’s ability to defend against even previously unknown zero-day issues.References[1] https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/connect-before-logon [2] https://security.paloaltonetworks.com/CVE-2022-0016 Application Securityin Vulnerability Research