This nasty Microsoft attack could let hackers hijack entire Windows servers

By Mayank Sharma
published

Microsoft’s mitigation doesn’t completely solve the issue, argues researcher

Scammers
(Image credit: Pixabay)

A newly-uncovered security flaw in Windows (opens in new tab) can be exploited by attackers to completely take over a Windows domain, experts have said.

The vulnerability, dubbed PetitPotam (opens in new tab), coerces remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing adversaries to stage a Windows NT LAN Manager (NTLM) relay attack.

“PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers,” read Microsoft’s advisory (opens in new tab) on the issue.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window (opens in new tab) <<

PetitPotam was discovered by cybersecurity (opens in new tab) researcher Gilles Lionel, who shared proof of concept (PoC) code, along with technical details of the flaw.

Incomplete mitigation?

Microsoft’s advisory suggests that all users who use Active Directory Certificate Services (AD CS) with either the Certificate Authority Web Enrollment service or the Certificate Enrollment Web Service are potentially vulnerable to PetitPotam.

The vulnerability, Microsoft argues, takes advantage of servers where AD CS is not configured with protections for NTLM Relay Attacks.

“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing,” suggests Microsoft’s advisory. 

However, the researcher doesn’t think Microsoft’s mitigations fully address the issue. 

In a conversation with BleepingComputer, Lionel argues that PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests.

And while Microsoft's advisory mitigates NTLM relay attacks, he says that it does not address the abuse of the MS-EFSRPC API, which would need a security update.

Via BleepingComputer (opens in new tab)

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

See more Computing news