Jun 22, 2022

New Attack Vector PetitPotam

Still remember PetitPotam attack?

PetitPotam is an NTLM Relay Attack tracked as CVE-2021-36942 that French security researcher GILLES Lionel discovered, aka Topotam, in July 2021

It is an NTLM Relay attack that allows threat actors to force devices, even domain controllers, to authenticate against malicious servers they control. Once a device authenticates, the malicious server can impersonate the device and gain all of its privileges.

The PetitPotam attack allowed unauthenticated users to use the EfsRpcOpenFileRaw function of the MS-EFSRPC API to force a device to perform NTLM authentication against attacker-controlled servers.

In 2022 (Jan ~ Mar), a security researcher, Raphael John, says that he discovered that PetitPotam was still working when conducting pentests. However, when he disclosed it to Microsoft, they fixed it under a new CVE rather than the original one assigned to PetitPotam.

A PoC tool, from Topotam, to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw. 

The tool uses the LSARPC named pipe with inteface c681d488-d850-11d0-8c52-00c04fd90f7e because it's more prevalent. But it's possible to trigger with the EFSRPC named pipe and interface df1941c5-fe89-4e79-bf10-463657acf44d. It doesn't need credentials against Domain Controller. And disabling the EFS service seems not to mitigate the "feature".

 

During the May 2022 Patch Tuesday, Microsoft released a security update for an actively exploited NTLM Relay Attack labeled as a 'Windows LSA Spoofing Vulnerability' and tracked as CVE-2022-26925.

In June 2022, a new DFSCoerce Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System, to completely take over a Windows domain.

A security researcher, Filip Dragovic, released a proof-of-concept script for a new NTLM relay attack called 'DFSCoerce' that uses Microsoft's Distributed File System (MS-DFSNM) protocol to relay authentication against an arbitrary server.

The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed over an RPC interface.

To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP protocols.

These mitigations include disabling NTLM on domain controllers, disabling web services on Active Directory Certificate Services servers, and enabling Extended Protection for Authentication and signing features, such as SMB signing, to protect Windows credentials.


Links: