New PetitPotam attack forces Windows servers to authenticate with an attacker
A French security researcher has discovered a security flaw in the Windows operating system that can be exploited to force remote Windows servers to authenticate with an attacker and share NTLM authentication details or authentication certificates.
The issue, discovered by Gilles Lionel, a Paris-based French security researcher, was nicknamed PetitPotam, and proof-of-concept (PoC) code was published earlier this week on GitHub.
According to Lionel, the issue takes place when an attacker abuses MS-EFSRPC, a protocol that allows Windows machines to perform operations on encrypted data stored on remote systems.
The PetitPotam attack PoC code allows an attacker to send SMB requests to a remote system's MS-EFSRPC interface and force the victim computer to initiate an authentication procedure and share its authentication details.
Attackers can then collect this data and abuse it as part of a NTLM relay attack to gain access to remote systems on the same internal network.
A very dangerous issue
PetitPotam cannot be exploited remotely over the internet and is an attack designed to be used inside large corporate networks, where attackers could use it to force domain controllers to cough up their NTLM password hashes or authentication certificates, which could lead to the complete takeover of a company's internal network.
Finally finished testing it, it's quite brutal! Network access to full AD takeover... I really underestimated the impact of NTLM relay on PKI #ESC8 The combo with PetitPotam is awesome !
— Rémi Escourrou (@remiescourrou) July 22, 2021
Everything is already published to quickly exploit it ... https://t.co/NVe6QJFrx6 pic.twitter.com/q55OyC7dME
Tests carried out by Gilles and several security researchers have shown that disabling support for MS-EFSRPC did not stop the attack from working.
The attack has been tested against Windows Server 2016 and Windows Server 2019 systems, but security researchers believe PetitPotam impacts most Windows Server versions supported today.
A Microsoft spokesperson did not return a request for comment, but the company published official mitigations a day after this article's publication.
All in all, Microsoft is going through a rough patch, security-wise. This is the third major Windows security issue disclosed over the past month after the PrintNightmare and SeriousSAM (HiveNightmare) vulnerabilities.
"The problem with this type of attack is that it will take a considerable amount of time and considerations to develop appropriate countermeasures," Florian Roth, Head of Research at Nextron Systems, told The Record.
"These are design flaws that are more difficult to fix. It’s much easier to just patch a vulnerable font driver DLL or Internet Explorer library," Roth added.
Article updated on July 24 with link to official Microsoft mitigations.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.