{"id":20812,"date":"2021-07-27T00:04:00","date_gmt":"2021-07-26T22:04:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=20812"},"modified":"2021-09-06T23:22:22","modified_gmt":"2021-09-06T21:22:22","slug":"remotepotato0-privilege-escalation-schwachstelle-im-windows-rpc-protocol","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/07\/27\/remotepotato0-privilege-escalation-schwachstelle-im-windows-rpc-protocol\/","title":{"rendered":"RemotePotato0: Privilege Escalation Vulnerability in Windows RPC Protocol"},"content":{"rendered":"

\"Windows\"[German<\/a>]Every Windows system is vulnerable to a specific NTLM relay attack that could allow attackers to escalate privileges from user to domain admin. This vulnerability has a status of \"not being fixed\" and was the subject of the PetitPotam approach I addressed over the weekend. Now Antonio Cocomazzi<\/a>  <\/em>has pointed out the vulnerability called RemotePotato0. This uses the Windows RPC protocol for privilege escalation.<\/p>\n

<\/p>\n

\"\"The topic is not new, as the security researcher at Sentinel already pointed out this vulnerability in April 2021. Now he has published his RemotePotato0 Cross Session Activation tool<\/a> on Github, which I came across via the following tweet<\/a>.<\/p>\n

\"RemotePotato0-Schwachstelle<\/a><\/p>\n

The GIF published on Twitter<\/a> demonstrates the use of the tool. The Github post doesn't give that much for me, but the Sentinel security researchers around Antonio Cocomazzi pointed to the separate article with further explanations in this tweet<\/a> on Twitter.    <\/p>\n

\"RemotePotato0-Schwachstelle<\/a><\/p>\n

In his article<\/a>, SentinelLabs security researchers led by Antonio Cocomazzi explain the attack called \"relaying potatos\" via the Windows RPC protocol. The statement: <\/p>\n