RemotePotato0: Privilege Escalation Vulnerability in Windows RPC Protocol

Windows[German]Every Windows system is vulnerable to a specific NTLM relay attack that could allow attackers to escalate privileges from user to domain admin. This vulnerability has a status of "not being fixed" and was the subject of the PetitPotam approach I addressed over the weekend. Now Antonio Cocomazzi  has pointed out the vulnerability called RemotePotato0. This uses the Windows RPC protocol for privilege escalation.


Advertising

The topic is not new, as the security researcher at Sentinel already pointed out this vulnerability in April 2021. Now he has published his RemotePotato0 Cross Session Activation tool on Github, which I came across via the following tweet.

RemotePotato0-Schwachstelle in Windows

The GIF published on Twitter demonstrates the use of the tool. The Github post doesn't give that much for me, but the Sentinel security researchers around Antonio Cocomazzi pointed to the separate article with further explanations in this tweet on Twitter.   

RemotePotato0-Schwachstelle in Windows

In his article, SentinelLabs security researchers led by Antonio Cocomazzi explain the attack called "relaying potatos" via the Windows RPC protocol. The statement:


Advertising

  • Every Windows system is vulnerable to a specific NTLM relay attack that could allow attackers to escalate privileges from user to domain admin.
  • The current status of this vulnerability is set to "not being fixed" by Microsoft.

In the blog post, security researchers outline how the Windows RPC protocol could be abused for an NTLM relay attack. As a result, the attacker with normal user privileges can elevate his privileges to domain admin. In the blog post, however, the security researchers give advice on what administrators can do to mitigate this attack vector.

Similar articles:
Windows 10 upgrade breaks SAM access rights from 1809 upward, user access possible
News about Windows 10 vulnerability HiveNightmare
HiveNightmare: New details about Windows vulnerability CVE-2021-36934
PrintNightmare: Point-and-Print allows installation of arbitrary files
PetitPotam attack allows Windows domain takeover
Microsoft's mitigations of Windows PetitPotam NTLM relay attacks


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).