This nasty Microsoft attack could let hackers hijack entire Windows servers

Microsoft’s mitigation doesn’t completely solve the issue, argues researcher


(Image credit: Pixabay)

A newly-uncovered security flaw in Windows can be exploited by attackers to completely take over a Windows domain, experts have said.

The vulnerability, dubbed PetitPotam, coerces remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing adversaries to stage a Windows NT LAN Manager (NTLM) relay attack.

“PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers,” read Microsoft’s advisory on the issue.

PetitPotam was discovered by cybersecurity researcher Gilles Lionel, who shared proof of concept (PoC) code, along with technical details of the flaw.

Incomplete mitigation?

Microsoft’s advisory suggests that all users who use Active Directory Certificate Services (AD CS) with either the Certificate Authority Web Enrollment service or the Certificate Enrollment Web Service are potentially vulnerable to PetitPotam.

The vulnerability, Microsoft argues, takes advantage of servers where AD CS is not configured with protections for NTLM Relay Attacks.

“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing,” suggests Microsoft’s advisory.

However, the researcher doesn’t think Microsoft’s mitigations fully address the issue.

In a conversation with BleepingComputer, Lionel argues that PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests.

And while Microsoft’s advisory mitigates NTLM relay attacks, he says that it does not address the abuse of the MS-EFSRPC API, which would need a security update.