11.08.2021 - Update: after all, this might become at least a "we-fixed-most-of-this"-list. We've got a patch for PetitPotam, SeriousSAM and various versions of Print Nightmare, though not for all of them yet. Well...
02.08.2021 - Update: thank you all for your feedback :-) This list was intended to be a summary of what happend in July 2021 and I decided I'll keep it that way, because I honestly think I don't have the energy to maintain an up-to-date list of ALL won't fixes Microsoft has to offer. So I'll keep this remark here for clarity and change the description.
A list of vulnerabilities or design flaws Microsoft does not intend to fix. Since the number is growing, I decided to make a list.
LPE = Local Privilege Escalation
DPE = Domain-wide Privilege Escalation
RCE = Remote Code Execution
Vulnerability | CVE | Attack Type | It's NTLM again, right? | How it works in a nutshell |
---|---|---|---|---|
SpoolSample | works as designed | Coerce authentication, Coerce target: other computer or localhost, LPE |
yes | SpoolSample abuses a functionality of the MS-RPRN (the print system remote protocol) to coerce target A to authenticate to a destination of the attackers choosing (target B). This destination usually is another host running an NTLM relay tool (like ntlmrelayx or inveigh), which in turn relays the target A to the final target, target C. The permissions of target A are then used to execute stuff (e.g. make me domain admin, configure RBCD, add a user, etc...) on target C. A common example of target C is the LDAP service of a domain controller. Update: I just learned that this can also be abused for local privilege escalation. Have a look at the second link. https://github.com/leechristensen/SpoolSample https://twitter.com/tifkin_/status/1420076325151272960 |
PetitPotam | CVE-2021-36942 | Coerce authentication, Coerce target: other computer | yes | PetitPotam is similar to SpoolSample but uses another protocol (MS-EFSRPC). Another benefit of PetitPotam is that you can force the protocol target A uses to authenticate to target B (see SpoolSample explanation) to HTTP. However for this to work, the WebClient service needs to run on target A, which might be not a big deal on clients but the service is not installed by default on servers. So as far as I understand, you're probably stuck with SMB when it comes to servers. @tifkin_ explains this nicely in a twitter thread (see references), so maybe have a look at that. Update: I just learned that this can also be abused for local privilege escalation. Have a look at the third link. https://github.com/topotam/PetitPotam https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 https://twitter.com/tifkin_/status/1418855927575302144 https://twitter.com/tifkin_/status/1420076325151272960 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 |
RemotePotato0 | works as designed | Coerce Authentication, Coerce target: different user logged in on same machine as attacker | yes | This attack can coerce authentication from another user session on the attackers machine to an attacker-controlled target. Common scenario would be: unprivileged attacker is logged onto a machine. privileged user logs onto that machine with RDP. attacker triggers authentication in the privileged session to another, attacker-controlled host. From thereon it's classic NTLM relay again. https://github.com/antonioCoco/RemotePotato0 |
SeriousSAM | CVE-2021-36934 | LPE | Kind of | Due to weak default ACLs on the SAM and SYSTEM files, these files can be accessed by unprivileged users through volume shadow copies. Sidenote: there's a read lock on the SAM file while in use, therefore you need the volume shadow copy access path cause you can't read it directly. An unprivileged user can extract the local admin's password hash and use this to elevate local privileges. This could be done using PTH from another host or if you already have control over a process running as Local Service/Network Service then you could use @shitsecure's tool (see 3rd link). They will definitely fix this but I guess we will be stuck with the insecure shadow copies. Update 11.08.2021: and that's exactly how it happend. See MSRC link for more info. https://twitter.com/jonasLyk/status/1417205166172950531 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH |
PrintNightmare | CVE-2021-1675(RCE), CVE-2021-34527(RCE), CVE-2021-34481(LPE), CVE-2021-34483(LPE), CVE-2021-36936(RCE), CVE-2021-36947(RCE) | RCE and LPE | No | A vulnerability in the print spooler allows an attacker to introduce a malicious DLL that will be executed by the spooler service. This can be used for remote code execution as well as local privilege escalation. I assume they will actually fix these since CVEs are assigned. Furthermore, I am of the opinion that the printer spooler needs to lose its SYSTEM rights! https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 https://twitter.com/gentilkiwi/status/1416429891592011781 https://github.com/cube0x0/CVE-2021-1675 |
ADCS - ESC8 | works as designed | DPE | Hell yeah | The web interface of the Active Directory Certificate Services allows NTLM authentication by default and does not enforce relay mitigations (also by default). Therefore you can relay an authentication to that webinterface and request a certificate in the name of the relayed account. E.g. you relay the DC (using PetitPotam for example) and get a DC certificate. https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb#rpc-to-rce-steps |