The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond’s MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network.
Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay. The end result is an authentication certificate that grants the attacker domain-controller-level access to services, allowing them to commandeer the entire domain.
“PetitPotam takes advantage of servers,” said Microsoft, “where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.”
Lionel published a proof-of-concept exploit, available from the above link, and Microsoft responded by burying the bad news in an advisory released on Friday. The Windows giant described PetitPotam as “a classic NTLM relay attack,” and noted that such attacks have a long, long history.
Which does make us wonder: why does the problem linger on?
Microsoft’s preferred mitigation is for administrators to simply disable NTLM authentication, although doing so could break any number of services and applications that depend on it. A variety of alternatives are also on offer, “listed in order of more secure to less secure.”
Windows Server 2008 and up are affected, according to Microsoft’s advisory, and, other than suggesting customers take NTLM mitigations, a fix for MS-EFSRPC does not appear to be incoming.