Microsoft completed a vulnerability hat-trick this month as yet another security weakness was uncovered in its operating systems. And this one doesn’t even need authentication to work its magic.
The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond’s MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network.
Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay. The end result is an authentication certificate that grants the attacker domain-controller-level access to services, allowing them to commandeer the entire domain.
“PetitPotam takes advantage of servers,” said Microsoft, “where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.”
Lionel published a proof-of-concept exploit, available from the above link, and Microsoft responded by burying the bad news in an advisory released on Friday. The Windows giant described PetitPotam as “a classic NTLM relay attack,” and noted that such attacks have a long, long history.
Which does make us wonder: why does the problem linger on?
Microsoft’s preferred mitigation is for administrators to simply disable NTLM authentication, although doing so could break any number of services and applications that depend on it. A variety of alternatives are also on offer, “listed in order of more secure to less secure.”
The advisory makes grim reading for sysadmins pondering how to plug this latest WONTFIX issue. PetitPotam makes use of the Certificate Authority Web Enrollment service or Certificate Enrollment Web Service (depending on system) and, according to Lionel’s PoC, uses the MS-EFSRPC EfsRpcOpenFileRaw function “to coerce Windows hosts to authenticate to other machines.”
CERT/CC analyst Will Dormann summarized the attack:
nth time is the charm! Not sure what was up the first times, but this is a DEFAULT install/config of the Certification Authority WEb Enrollment (ADCS-Web-Enrollment) on a machine other than the DC.
Lowly domain-joined user to golden ticket.
No credentials required, even. pic.twitter.com/EHxq17oT4p
— Will Dormann (@wdormann) July 23, 2021
Windows Server 2008 and up are affected, according to Microsoft’s advisory, and, other than suggesting customers take NTLM mitigations, a fix for MS-EFSRPC does not appear to be incoming. We asked Microsoft and will update if it tells us anything more than to look at the advisory again.
“Microsoft are no[t] fixing this,” tweeted IT security guru Kevin Beaumont, “so you have an out-of-the-box no-auth to Domain Admin path on default config Active Directory environments now, attackers.”
We’ll leave the final word to Mimikatz creator Benjamin Delpy and await Microsoft’s move… ®
Hey @msftsecurity… focusing on NTLM Relay & AD CS default configuration is interesting, but could you fix [MS-EFSR] first?
You (maybe?) know PetitPotam is primary about abusing [MS-EFSR] remote calls *without authentication*
> https://t.co/doK77F9cz2 https://t.co/gsoweKbsrd pic.twitter.com/Y26TYEvJow
— 🥝 Benjamin Delpy (@gentilkiwi) July 26, 2021