[BreachExchange] Microsoft warns of PetitPotam attack taking over Windows domains

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Wed Jul 28 11:39:40 EDT 2021 

https://www.hackread.com/microsoft-petitpotam-attack-taking-over-windows-domains/

Microsoft has released an advisory on the newly identified Windows security
flaw that allows attackers to take complete control of a Windows domain.

Experts revealed that the vulnerability, dubbed PetitPotam, forces remote
Windows servers such as Domain Controllers to validate a malicious
destination. This allows attackers to launch a Windows NT LAN Manager relay
attack.

“PetitPotam is a classic NTLM Relay Attack, and such attacks have been
previously documented by Microsoft along with numerous mitigation options
to protect customers,” Microsoft’s advisory reads.

PetitPotam Coerces Windows Hosts to Authenticate Devices

The flaw was discovered and reported by security researcher Gilles Lionel.
He shared its technical details and PoC code last week and revealed that
the flaw works by coercing Windows hosts to authenticate other
devices/systems through “MS-EFSRPC EfsRpcOpenFileRaw function,” which is
Microsoft’s Encrypting File System Remote Protocol used to perform
maintenance and management operations on encrypted data that are remotely
stored and accessed via a network.

Who is Vulnerable to PetitPotam?

According to the advisory, users who are using Active Directory Certificate
Services (AD CS) with the Certificate Enrollment Web Service or the
Certificate Authority Web Enrollment service are vulnerable to this threat.

PetitPotam exploits servers where AD CS isn’t configured with NTLM Relay
Attacks protections. Therefore, it will give the attacker an authentication
certificate, which may be used for accessing DC services to compromise the
entire domain.

“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain
administrators must ensure that services that permit NTLM authentication
make use of protections such as Extended Protection for Authentication
(EPA) or signing features such as SMB signing,” Microsoft advises.

But, Lionel believes this won’t fully resolve the issue because PetitPotem
abuses the EfsRpcOpenFileRaw function, and Microsoft’s advisory doesn’t
address the MS-EFSRPC API abuse unless the company releases a security
update.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210728/15d361fe/attachment.html>

More information about the BreachExchange mailing list