Microsoft Fixes PetitPotam Flaw

Walden Systems Geeks Corner News Microsoft Fixes PetitPotam Flaw Rutherford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Microsoft released a patch for an attack called PetitPotam that could force remote Windows systems to reveal password hashes that could then be easily cracked. To thwart an attack, Microsoft recommends system administrators stop using the now deprecated Windows NT LAN Manager (NTLM). Security researcher Gilles Lionel identified the bug and also published proof-of-concept (PoC) exploit code to demonstrate the attack. The next day, Microsoft issued an advisory that included workaround to protect systems.

The PetitPotam bug is linked to the Windows operating system and can leverage the remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC). The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies. The PetitPotam PoC is an attack against Microsoft's NTLM authentication system. A hacker can use the file-sharing protocol Server Message Block (SMB) to request access to a remote system's MS-EFSRPC interface. This request forces the targeted computer to initiate an authentication procedure and share its authentication details via NTLM.


Lionel demonstrated how a PetitPotam attack can be chained to an exploit targeting Windows Active Directory Certificate Services, which provides public key infrastructure functionality. A hacker can target a Domain Controller to send its credentials by using the MS-EFSRPC protocol and then relaying the DC NTLM credentials to the Active Directory Certificate Services AD CS Web Enrollment pages to enroll a DC certificate. This gives the hacker an authentication certificate that can be used to access domain services as a DC and compromise the entire domain.

Microsoft outlined several mitigation options in response to this threat. Microsoft recommends disabling NTLM authentication on Windows domain controllers. It also advises enabling the Extended Protection for Authentication feature on AD CS services. Microsoft also added that companies are vulnerable to a PetitPotam attack if NTLM authentication is enabled in their domains and / or they're using AD CS with the services Certificate Authority Web Enrollment and Certificate Enrollment Web Service.