[German]Every Windows system is vulnerable to a specific NTLM relay attack that could allow attackers to escalate privileges from user to domain admin. This vulnerability has a status of "not being fixed" and was the subject of the PetitPotam approach I addressed over the weekend. Now Antonio Cocomazzi has pointed out the vulnerability called RemotePotato0. This uses the Windows RPC protocol for privilege escalation.
The topic is not new, as the security researcher at Sentinel already pointed out this vulnerability in April 2021. Now he has published his RemotePotato0 Cross Session Activation tool on Github, which I came across via the following tweet.
The GIF published on Twitter demonstrates the use of the tool. The Github post doesn't give that much for me, but the Sentinel security researchers around Antonio Cocomazzi pointed to the separate article with further explanations in this tweet on Twitter.
In his article, SentinelLabs security researchers led by Antonio Cocomazzi explain the attack called "relaying potatos" via the Windows RPC protocol. The statement:
- Every Windows system is vulnerable to a specific NTLM relay attack that could allow attackers to escalate privileges from user to domain admin.
- The current status of this vulnerability is set to "not being fixed" by Microsoft.
In the blog post, security researchers outline how the Windows RPC protocol could be abused for an NTLM relay attack. As a result, the attacker with normal user privileges can elevate his privileges to domain admin. In the blog post, however, the security researchers give advice on what administrators can do to mitigate this attack vector.
Windows 10 upgrade breaks SAM access rights from 1809 upward, user access possible
News about Windows 10 vulnerability HiveNightmare
HiveNightmare: New details about Windows vulnerability CVE-2021-36934
PrintNightmare: Point-and-Print allows installation of arbitrary files
PetitPotam attack allows Windows domain takeover
Microsoft's mitigations of Windows PetitPotam NTLM relay attacks
Cookies helps to fund this blog: Cookie settings