A vulnerability that allows a cybercriminal to take control of remote Windows servers (including the Domain Controller), causing them to authenticate a malicious target (tampered by a possible attacker).
The vulnerability was discovered by French information security researcher Gilles Lionel, who called it PetitPotam. It has been tested and successful on Windows 10, Windows Server 2016 and 2019 systems.
Lionel posted a Proof of Concept (PoC) on GitHub, where he explains that an attacker can abuse an Encrypting File System Remote (EFSRPC) protocol to perform maintenance and management of encrypted data, stored remotely.
“[O PetitPotam] forces Windows hosts to authenticate to other machines via the MS-EFSRPC EfsRpcOpenFileRaw function. This is also possible through other protocols and functions. The tools use the LSARPC named pipe with interface c681d488d850-11d0-8c52-00c04fd90f7e because it is more prevalent. But it is possible to trigger with the named pipe EFSRPC and the interface df1941c5-fe89-4e79-bf10-463657acf44d. You don’t need credentials on the domain controller,” he explains.
Microsoft releases security update
The Record, which revealed this case to the public, contacted Microsoft, which did not respond to the press contact request. However, one day after the failure was disclosed. The company has released a security update, fixing the vulnerability.
On the guide page for this update, Microsoft explains that Lionel’s vulnerability could result in a classic NTLM Relay attack.
“To prevent NTLM relay attacks on NTLM-enabled networks, domain administrators should ensure that services that enable NTLM authentication use protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing.”
“PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM relay attacks. The mitigations described in KB5005413 instruct customers on how to protect their AD CS servers from such attacks,” he says. to Microsoft.
Sources: the record; Gilles Lionel; Microsoft; TheHack.
