Security News > 2021 > July > You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick

Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC to force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay.

"PetitPotam takes advantage of servers," said Microsoft, "Where the Active Directory Certificate Services is not configured with protections for NTLM Relay Attacks."

The Windows giant described PetitPotam as "a classic NTLM relay attack," and noted that such attacks have a long, long history.

PetitPotam makes use of the Certificate Authority Web Enrollment service or Certificate Enrollment Web Service and, according to Lionel's PoC, uses the MS-EFSRPC EfsRpcOpenFileRaw function "To coerce Windows hosts to authenticate to other machines."

Windows Server 2008 and up are affected, according to Microsoft's advisory, and, other than suggesting customers take NTLM mitigations, a fix for MS-EFSRPC does not appear to be incoming.

"Microsoft are no[t] fixing this," tweeted IT security guru Kevin Beaumont, "So you have an out-of-the-box no-auth to Domain Admin path on default config Active Directory environments now, attackers."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/07/26/petitpotam_microsoft_windows/