Another unauthorized Patch for the Windows PetitPotam NTML relay attack has been released to fix future issues not addressed by Microsoft’s official security update.
The NTML relay would then transmit the appeal to a targeted victim’s Active Directory Certificate Services through HTTP to receive a Kerberos ticket-granting ticket (TGT), which authorizes the threat actor to consider the identification of the domain controller and take over the Windows domain.
In the earlier time, there have been various ways to force a domain controller to authorize against an attacker’s relay server, such as the MS-RPRN printing API, which Microsoft has fixed.
At the start of July, the security investigator revealed a new tactic known as ‘PetitPotam’ that performs unauthenticated forced authentication on domain controllers using various functions in the MS-EFSRPC (Microsoft Encrypted File System) API.
Why Microsoft’s Update is not yet terminated?
Because of the delicate quality of this attack, Microsoft posted a security update as part of the August 2021 Patch Tuesday that tried to fix the PetitPotam vulnerability, tracked as CVE-2021-36942.
“An unauthorized threat actor could call an approach on the LSARPC interface and terroize the domain controller to authorize against the other server using NTLM,” clarify Microsoft in the CVE-2021-36942 advisory.
Unluckily, Microsoft’s update is not finished yet, and it is still potential to exploit PetitPotam. As part of this patch, Microsoft solved the unauthenticated aspect for all EFSRPC functions and only completely stops the forced compromised for the OpenEncryptedFileRawA and OpenEncryptedFileRawW API functions when called through an LSARPC named pipe.
A dubbed pipe is a Windows interface that permits functions on similar or numerous systems to transmit with each other. These named pipes expose API functions that can be known by other processes to execute various tasks.
Moreover, Microsoft’s update did not block the openEncryptedFileRawA/OpenEncryptedFileRawWs process through the MS-EFSRPC dubbed pipe, and attackers can still harm other functions through both LSARPC and EFSRPC.
“Anyway three different functions can be harmed that they didn’t block or patch. Someone on twitter already pointed out them and can be “easily” found if people have a look for,” Lionel told our experts last week.
Since then, Lionel has updated PetitPotam to support the following other EFSRPC functions that were not blocked by Microsoft’s security update:
- EfsRpcEncryptFileSrv
- EfsRpcDecryptFileSrv
- EfsRpcQueryUsersOnFile
- EfsRpcQueryRecoveryAgents
- EfsRpcRemoveUsersFromFile
- EfsRpcAddUsersToFile
Moreover, even though Microsoft resolved the unauthorized issue, it is common for attackers to gain access to network passwords that could still be utilized to trigger this attack.
How Unofficial Patch Fixes these Unresolved Concerns?
To facilitate a more accomplish patch, the patch micro patching service has posted an updated unofficial patch that can be used to block all called PetitPotam NTLM relay attacks on the following Windows versions:
- Windows Server 2019 (updated with July 2021 Updates)
- Windows Server 2016 (updated with July 2021 Updates)
- Windows Server 2012 R2 (updated with July 2021 Updates)
- Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates)
With this micro patch, the process is blocked in both the LSARPC and EFSRPC named pipes and can no longer be abused as part of an NTLM relay attack.
“What we did was patch just one function that is called from all these and is responsible for sending System’s credentials to attacker’s endpoint,” 0patch cofounder Mitja Kolsek told our experts.
“As with our previous patch, we confined this process in an impersonation block, resulting in threat actors only getting their own passwords back instead of System’s.”
For those who want to wait for a probable official patch from Microsoft, you can also defend against PetitPotam attacks using NETSH RPC filters that block remote access to the MS-EFSRPC API.
