A second unofficial patch for the Home windows PetitPotam NTLM relay assault has been launched to repair additional points not addressed by Microsoft’s official safety replace.
An NTLM relay assault is when a menace actor can pressure a server or area controller to authenticate towards an NTLM relay server below a menace actor’s management.
This NTLM relay would then ahead the request to a focused sufferer’s Energetic Listing Certificates Providers through HTTP to obtain a Kerberos ticket-granting ticket (TGT), which permits the attacker to imagine the identification of the area controller and take over the Home windows area.
Prior to now, there have been quite a few methods to pressure a site controller to authenticate towards a menace actor’s relay server, such because the MS-RPRN printing API, which Microsoft has fastened.
In July, safety researcher GILLES Lionel, aka Topotam, disclosed a brand new method known as ‘PetitPotam‘ that performs unauthenticated compelled authentication on area controllers utilizing numerous capabilities within the MS-EFSRPC (Microsoft Encrypted File System) API.
Microsoft’s safety replace just isn’t full
As a result of crucial nature of this assault, Microsoft released a security update as a part of the August 2021 Patch Tuesday that tried to repair the PetitPotam vulnerability, tracked as CVE-2021-36942.
“An unauthenticated attacker may name a technique on the LSARPC interface and coerce the area controller to authenticate towards one other server utilizing NTLM,” explains Microsoft within the CVE-2021-36942 advisory.
Sadly, Microsoft’s replace is incomplete, and it’s nonetheless doable to abuse PetitPotam.
As a part of this patch, Microsoft fastened the unauthenticated vector for all EFSRPC capabilities and solely fully blocks the compelled negotiation for the OpenEncryptedFileRawA and OpenEncryptedFileRawW API capabilities when known as through an LSARPC named pipe.
A named pipe is an Home windows interface that enables processes on the identical or totally different methods to speak with one another. These named pipes expose API capabilities that may be known as by different processes to carry out numerous duties.
Nevertheless, Microsoft’s replace didn’t block the OpenEncryptedFileRawA/OpenEncryptedFileRawWs operate through the MS-EFSRPC named pipe, and menace actors can nonetheless abuse different capabilities through each LSARPC and EFSRPC.
“Not less than three different operate could be abused that they did not block/patch. Some on twitter already identified them and could be “simply” discovered if individuals search for,” Lionel informed BleepingComputer final week.
Since then, Lionel has up to date PetitPotam to help the next different EFSRPC capabilities that weren’t blocked by Microsoft’s safety replace:
EfsRpcEncryptFileSrv EfsRpcDecryptFileSrv EfsRpcQueryUsersOnFile EfsRpcQueryRecoveryAgents EfsRpcRemoveUsersFromFile EfsRpcAddUsersToFile
Moreover, regardless that Microsoft fastened the unauthenticated problem, it’s common for menace actors to realize entry to community credentials that would nonetheless be used to set off this assault.
Unofficial patch fixes these unresolved points
To supply a extra full patch, the 0patch micropatching service has launched an up to date unofficial patch that can be utilized to dam all recognized PetitPotam NTLM relay assaults on the next Home windows variations:
- Home windows Server 2019 (up to date with July 2021 Updates)
- Home windows Server 2016 (up to date with July 2021 Updates)
- Home windows Server 2012 R2 (up to date with July 2021 Updates)
- Home windows Server 2008 R2 (up to date with January 2020 Updates, no Prolonged Safety Updates)
With this micropatch, the capabilities are blocked in each the LSARPC and EFSRPC named pipes and might not be exploited as a part of an NTLM relay assault.
“What we did was patch only one operate that is known as from all these and is answerable for sending System’s credentials to attacker’s endpoint,” 0patch cofounder Mitja Kolsek informed BleepingComputer.
“As with our earlier patch, we enclosed this operate in an impersonation block, leading to attacker solely getting their very own credentials again as an alternative of System’s.”
For individuals who want to anticipate a doable official patch from Microsoft, you may also defend towards PetitPotam assaults using NETSH RPC filters that block distant entry to the MS-EFSRPC API.