A 2nd unofficial patch for the Windows PetitPotam NTLM relay attack has actually been actually launched to take care of more concerns certainly not taken care of through Microsoft’s main protection upgrade.
An NTLM relay attack is actually when a danger star may require a web server or even domain name operator to validate versus an NTLM relay hosting server under a danger star’s command.
This NTLM relay would certainly at that point ahead the ask for to a targeted prey’s Active Directory Certificate Services by means of HTTP to acquire a Kerberos ticket-granting ticket (TGT), which permits the assaulter to presume the identification of the domain name operator and also consume the Windows domain name.
In recent, there have actually been actually countless methods to require a domain name operator to validate versus a danger star’s relay hosting server, like the MS-RPRN publishing API, which Microsoft has actually dealt with.
In July, protection analyst GILLES Lionel, also known as Topotam, divulged a new procedure referred to as ‘PetitPotam’ that does unauthenticated pressured verification on domain name operators utilizing different functionalities in the MS-EFSRPC (Microsoft Encrypted File System) API.
Microsoft’s protection upgrade is actually certainly not total
Due to the crucial attribute of this particular attack, Microsoft launched a protection upgrade as aspect of the August 2021 Patch Tuesday that sought to take care of the PetitPotam susceptibility, tracked as CVE-2021-36942.
“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM,” discusses Microsoft in the CVE-2021-36942 advisory.
Unfortunately, Microsoft’s upgrade is actually unfinished, and also it is actually still feasible to misuse PetitPotam.
As aspect of this patch, Microsoft dealt with the unauthenticated angle for all EFSRPC functionalities and also simply totally shuts out the pressured settlement for the OpenEncryptedFileRawA and also OpenEncryptedFileRawW API performs when referred to as by means of an LSARPC called water pipes.
A called water pipes is actually an Windows user interface that permits methods on the very same or even various units to connect along with one another. These called water pipes subject API functionalities that could be knowned as through various other methods to carry out different duties.
However, Microsoft’s upgrade performed certainly not shut out the OpenEncryptedFile RawA/OpenEncryptedFile RawWs functionality by means of the MS-EFSRPC called water pipes, and also risk stars may still mistreat various other functionalities by means of both LSARPC and also EFSRPC.
“At least three other function can be abused that they didn’t block/patch. Some on twitter already pointed out them and can be ” quickly” found if people look for,” Lionel said to BleepingComputer recently.
Since at that point, Lionel has actually improved PetitPotam to assist the adhering to various other EFSRPC functionalities that were actually certainly not shut out through Microsoft’s protection upgrade:
EfsRpcEncryptFile Srv. EfsRpcDecryptFile Srv. EfsRpcQueryUsersOnFile EfsRpcQueryRecoveryAgents. EfsRpcRemoveUsersFromFile EfsRpcAddUsersToFile
Furthermore, although Microsoft dealt with the unauthenticated problem, it prevails for risk stars to get to system accreditations that might still be actually made use of to activate this attack.
Unofficial patch fixes these unsettled concerns
To supply a more total patch, the 0patch micropatching service has actually launched an improved unofficial patch that could be made use of to shut out all recognized PetitPotam NTLM relay assaults on the adhering to Windows models:
- Windows Server 2019 (improved along with July 2021 Updates)
- Windows Server 2016 (improved along with July 2021 Updates)
- Windows Server 2012 R2 ( improved along with July 2021 Updates)
- Windows Server 2008 R2 ( improved along with January 2020 Updates, no Extended Security Updates)
With this micropatch, the functionalities are actually shut out in both the LSARPC and also EFSRPC called water pipes and also may no more be actually manipulated as aspect of an NTLM relay attack.
“What we did was patch just one function that is called from all these and is responsible for sending System’s credentials to attacker’s endpoint,” 0patch cofounder Mitja Kolsek said to BleepingComputer.
“As with our previous patch, we enclosed this function in an impersonation block, resulting in attacker only getting their own credentials back instead of System’s.”
For those that prefer to expect an achievable authorities patch coming from Microsoft, you may likewise prevent PetitPotam assaults utilizing NETSH RPC filterings system that block distant accessibility to the MS-EFSRPC API.