A list of vulnerabilities or design flaws Microsoft does not intend to fix. Since the number is growing, I decided to make a list.
LPE = Local Privilege Escalation
DPE = Domain-wide Privilege Escalation
RCE = Remote Code Execution
| Vulnerability | CVE | Attack Type | It's NTLM again, right? | How it works in a nutshell |
|---|---|---|---|---|
| SpoolSample | works as designed | Coerce authentication, Coerce target: other computer or localhost, LPE |
yes | SpoolSample abuses a functionality of the MS-RPRN (the print system remote protocol) to coerce target A to authenticate to a destination of the attackers choosing (target B). This destination usually is another host running an NTLM relay tool (like ntlmrelayx or inveigh), which in turn relays the target A to the final target, target C. The permissions of target A are then used to execute stuff (e.g. make me domain admin, configure RBCD, add a user, etc...) on target C. A common exampel of target C is the LDAP service of a domain controller. Update: I just learned that this can also be abused for local privilege escalation. Have a look at the second link. https://github.com/leechristensen/SpoolSample https://twitter.com/tifkin_/status/1420076325151272960 |
| PetitPotam | works as designed | Coerce authentication, Coerce target: other computer | yes | PetitPotam is similar to SpoolSample but uses another protocol (MS-EFSRPC). Another benefit of PetitPotam is that you can force the protocol target A uses to authenticate to target B (see SpoolSample explanation) to HTTP. However for this to work, the WebClient service needs to run on target A, which might be not a big deal on clients but the service is not installed by default on servers. So as far as I understand, your probably stuck with SMB when it comes to servers. @tifkin_ explains this nicely in a twitter thread (see references), so maybe have a look at that. Update: I just learned that this can also be abused for local privilege escalation. Have a look at the third link. https://github.com/topotam/PetitPotam https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 https://twitter.com/tifkin_/status/1418855927575302144 https://twitter.com/tifkin_/status/1420076325151272960 |
| RemotePotato0 | works as designed | Coerce Authentication, Coerce target: different user logged in on same machine as attacker | yes | This attack can coerce authentication from another user session on the attackers machine to an attacker controlled target. Common scenario would be: unprivileged attacker is logged onto a machine. privileged user logs onto that machine with RDP. attacker triggers authentication in the privileged session to another, attacker controlled host. From thereone it's classic NTLM relay again. https://github.com/antonioCoco/RemotePotato0 |
| SeriousSAM | CVE-2021-36934 | LPE | Kind of | Due to weak default ACLs on the SAM and SYSTEM files, these files can be accessed by unprivileged users through volume shadow copies. Sidenote: there's a read lock on the SAM file while in use, therefore you need the volume shadow copy access path cause you can't read it directly. An unprivileged user can extract the local admin's password hash and use this to elevate local privileges (see @shitsecure's github repo for tooling). They will definetely fix this but I guess we will be stuck with the insecure shadow copies. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH |
| PrintNightmare | CVE-2021-34527, CVE-2021-34527 | RCE and LPE | No | A vulnerability in the print spooler allows an attacker to introduce a malicious DLL that will be executed by the spooler service. This can be used for remote code execution as well as local privilege escalation. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 https://twitter.com/gentilkiwi/status/1416429891592011781 https://github.com/cube0x0/CVE-2021-1675 |
| ADCS - ESC8 | works as designed | DPE | Hell yeah | The web interface of the Active Directory Certificate Services allows NTLM authentication by default and does not enforce relay mitigations (also by default). Therefore you can relay an authentication to that webinterface and request a certificate in the name of the relayed account. E.g. you relay the DC (using PetitPotam for example) and get a DC certificate. https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb#rpc-to-rce-steps |