VU#405600: Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks


Microsoft Windows Active Directory Certificate Services (AD CS) by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory.


PetitPotam is a tool to force Windows hosts to authenticate to other machines by using the Encrypting File System Remote (EFSRPC) EfsRpcOpenFileRaw method. When a system handles an EfsRpcOpenFileRaw request, it will by default use NTLM to authenticate with the host that is specified within the path to the file specified in the EfsRpcOpenFileRaw request. The user specified in the NTLM authentication information is the computer account of the machine that made the EfsRpcOpenFileRaw request.

The EfsRpcOpenFileRaw() function does not require credentials to be explicitly specified for it to be dispatched. Code running on any domain-joined system can trigger this function to be called on a domain controller without needing to know the credentials of the current user or any other user in an Active Directory. And because the EfsRpcOpenFileRaw method authenticates as the machine dispatching the request, this means that a user of any system connected to an AD domain can trigger an NTLM authentication request as the domain controller machine account to an arbitrary host, without needing to know any credentials. This can allow for NTLM relay attacks.

One publicly-discussed target for an NTLM relay attack from a domain controller is a machine that hosts Microsoft AD ..

Support the originator by clicking the read the rest link below.