On July 23rd, French researcher Gilles Lionel (aka Topotam) revealed a new exploit technique called “PetitPotam” that modifies a previously discovered exploit in the Windows Print Spooler to allow attackers to exploit vulnerable Windows Servers without the Microsoft Print System Remote Protocol (MS-RPRN) API. Lionel’s new variant of the print spooler attack forces a server with a Print Spooler service to authenticate against an NTLM relay by exploiting a function in Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC API) which is a protocol used for maintenance and management operations on encrypted data that is stored remotely to be accessed over a network. The MS-EFSRPC API is enabled by default on all Windows machines, and disabling the MS-EFS service will not prevent this attack from being successful.
A malicious actor could exploit this feature to gain full control of a Microsoft Windows Domain Controller and the entire Windows Domain. Lionel, in an interview with Bleeping Computer, said that he does not see this as a vulnerability but rather the abuse of a legitimate function.
There is proof of concept (POC) code available in Github so this exploit is considered Critical.
Gaining full control of a Windows Domain Controller would grant access to every device, database, folder and file on the entire network, putting the entire network at risk.
This attack relies on a legitimate function native to Microsoft Windows Systems (MS-EFSRPC) and is not necessarily viewed as a vulnerability. By leveraging the EfsRPCOpenFileRAW function of the MS-EFSRPC API, a malicious actor could deploy a script that can be used to authenticate remotely by utilizing the NTLM protocol, to a Windows server using Active Directory. This could allow attackers to gain control of the server, allowing them to leverage the MS-EFSRPC API. In addition to the attack relaying SMB authentication to an HTTP certificate enrollment server, this exploit could be used for other attacks like an NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (e.g. SCCM and Exchange servers are often in this situation).
According to the proof-of-concept code on Github, the code will call the DLL file rpcrt4.dll, also known as the Remote Procedure Call Runtime. Within this DLL (Dynamic Link Library), the EfsRPCOpenFileRAW function is called:
Function in the C Programming Language:
Calling the function in Python Script:
Microsoft has released an advisory on the PetitPotam exploit with the following information:
You are potentially vulnerable to this attack if NTLM authentication is enabled in your domain and you are using Active Directory Certificate Services (AD CS) with any of the following services:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
INDICATORS OF COMPROMISE
No indicators are available at this time.
Since this exploit relies on a legitimate function, at this point there are no verified methods to prevent the abuse of the EfsRpcOpenFileRaw function in the MS-EFSRPC API. What you can do is “harden the HTTP service of the PKI to avoid the NTLM relay.”
Stopping the EFS Service alone will not prevent the exploit.
Unfortunately, because this attack method uses a valid function in a valid API, Microsoft will not release any patch to prevent the PetitPotam exploit. It is recommended that you use the mitigation steps provided by Benjamin Delpy, the creator of mimikatz, below to prevent the NTLM relay, or disable NTLM altogether and use Kerberos.
- Remove Web Enroll (you really don't need it - use RPC)
- Remove or Disable Nego/NTLM, use Kerberos !
- Try Extended Protection for Authentication with SSL (because yes, the PKI WebServer does not have a certificate by default)
- Stephen Jones, Senior Director Cybersecurity
- Maximo Bredfeldt, vCISO
- Susan Verdin, Cybersecurity Analyst