Recently, French security researcher Gilles Lionel, aka Topotam, has revealed a new attack technique called PetitPotam. This is an NTLM forwarding attack that does not depend on the MS-RPRN API, but uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
MS-EFSRPC is Microsoft's Remote System File Encryption Protocol, commonly used to perform maintenance operations and manage encrypted data that is stored remotely and accessed over the network.
According to Lionel, this is not a vulnerability but an abuse of a legitimate feature of the system. PetitPotam not only allows hackers to control the entire Windows domain but also leads to other attacks, Lionel shared.
Soon after Lionel published his research on GitHub, many other security experts embarked on testing. Security researcher Remi Escourrou confirmed that PetitPotam can be used to control the entire Active Directory. In addition, he added that there is practically no way to block PetitPotam.
PetitPotam affects Windows Server 2008 to 2019. According to Microsoft, there is no indication that the PetitPotam attack technique was used by hackers.
Microsoft shares how to fix PetitPotam
In a statement just released, Microsoft acknowledged that organizations can be attacked by PetitPotam. Currently, Microsoft has not yet released a patch, but it advises organizations to take the following measures to minimize the damage caused by PetitPotam:
However, PetitPotam attacks by abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass authentication requests, opening the door to other attacks. Microsoft's advice only prevents NTLM forwarding attacks without addressing MS-EFSRPC API abuse. Maybe Microsoft needs to roll out an update to fix this issue.
Security expert Benjamin Delpy said that the mitigation measures that Microsoft offered were not satisfactory. The EFSRPC protocol is not even mentioned.
ncG1vNJzZmismaXArq3KnmWcp51kxKmt02agrGWgmsGqwM%2Boq5qlXZbBta3CpGShp6diwbB5zq%2Bcq5uforJuvMStoK2on6murnnArauam5s%3D