Microsoft has released detailed guidance to help enterprises protect their networks against a new variant of the old NTLM relay attack called PetitPotam that can allow a user to force one Windows server to authenticate to another one.
PetitPotam works against servers that have NTLM authentication enabled and Active Directory Certificate Services (AD CS) used for Certificate Authority Web Enrollment or Certificate Enrollment Web Service. The PetitPotam tool, released last week, demonstrates how an attacker could abuse the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) to cause one Windows server to authenticate to another server using NTLM authentication over the local security authority RPC (LSARPC) service.
“What’s even crazier is that this can be done without any authentication – so as long as you can connect to the target server to the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e, you can make that target server connect to any other server,” Bojan Zdrnja of the SANS Internet Storm Center wrote in an analysis of the flaw.
“The other vulnerability that is being exploited here is the fact that the IIS server that is used by Active Directory Certificate Services uses NTLM over HTTP for authentication. This makes it perfect for this attack.”
The broad advice for mitigating these attacks is to disable NTLM authentication on domain controllers.
NTLM relay attacks have been around in various forms for many years and they’re well-understood by MIcrosoft and many network administrators. The broad advice for mitigating these attacks is to disable NTLM authentication on domain controllers, and the more specific mitigation related to PetitPotam is to disable NTLM on any AD CS servers and NTLM for IIS AD CS servers.
However, Zdrnja said those mitigations are not completely effective.
“What the advisory above missed is the fact that the PetitPotam vulnerability is a completely separate issue - it allows an attacker to provoke a server to authenticate to an arbitrary machine. Abusing ADCS is just one way to use this - any service that allows NTLM authentication can probably be abused similarly (Print Spooler could be a candidate),” Zdrnja said.