A second unofficial patch for the Windows PetitPotam NTLM relay attack has been released to fix further issues not addressed by Microsoft’s official security update.
An NTLM relay attack is when a threat actor can force a server or domain controller to authenticate against an NTLM relay server under a threat actor’s control.
This NTLM relay would then forward the request to a targeted victim’s Active Directory Certificate Services via HTTP to receive a Kerberos ticket-granting ticket (TGT), which allows the attacker to assume the identity of the domain controller and take over the Windows domain.
In the past, there have been numerous ways to force a domain controller to authenticate against a threat actor’s relay server, such as the MS-RPRN printing API, which Microsoft has fixed.
In July, security researcher GILLES Lionel, aka Topotam, disclosed a new technique called ‘PetitPotam’ that performs unauthenticated forced authentication on domain controllers using various functions in the MS-EFSRPC (Microsoft Encrypted File System) API.
Microsoft’s security update is not complete Due to the critical nature of this attack, Microsoft released a security update as part of the August 2021 Patch Tuesday that attempted to fix the PetitPotam vulnerability, tracked as CVE-2021-36942.
“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM,” explains Microsoft in the CVE-2021-36942 advisory.
Unfortunately, Microsoft’s update is incomplete, and it is still possible to abuse PetitPotam.
As part of this patch, Microsoft fixed the unauthenticated vector for all EFSRPC functions and only completely blocks the forced negotiation for the OpenEncryptedFileRawA and OpenEncryptedFileRawW API functions when called via an LSARPC named pipe.