2

I recently found an article about the Hot Potato vulnerability and it seemed quite interesting.

Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.

The exploit basically consists of three aspects:

  1. Local NBNS Spoofer
  2. Fake WPAD Proxy Server
  3. HTTP -> SMB NTLM Relay

I'm specifically interested in this vulnerability on Windows Server 2012 (R2). The exploit makes use of an automatic update mechanism that downloads certificate trust lists (CTLs) on a daily basis.

The researchers said that using SMB (Server Message Block) signing may theoretically block the attack. Other method to stop the NTNL relay attack is by enabling “Extended Protection for Authentication” in Windows.

My question, are one of the two mitigations as suggested by the researchers automatically used as a patch/fix through Windows Update, since the initial vulnerability was released? I think somewhere in the beginning of 2016.

Note: It's ironic that the introduction of a daily update of CTLs that are meant to improve security, introduce a massive Privilege Escalation vulnerability.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90

1 Answers1

2

No, SMB signing and/or EPA must be changed at the policy level -- either local policy and/or Group Policy. There is no patch that properly covers all NTLM relay attacks. The other worry is JASBUG, which requires SMB signing and/or EPA along with a UNC Path Hardening policy.

See -- https://security.stackexchange.com/a/139578/140 -- for more information on both

atdre
  • 18,885
  • 6
  • 58
  • 107