There’s a Severe Privilege Escalation Vulnerability in Windows RPC Protocol That Microsoft Won’t Fix

guest · Apr 27, 2021

There’s a Severe Privilege Escalation Vulnerability in Windows RPC Protocol That Microsoft Won’t Fix
April 27, 2021
https://www.technadu.com/severe-pri...indows-rpc-protocol-microsoft-not-fix/269418/

SentinelOne researchers have found what they call a “permanent zero-day” privilege escalation on Windows RPC.

The discovery and initial report happened back in November 2020, but Microsoft decided not to address this.

There are some mitigations that can be applied to harden your server, which will do the trick even without a patch.

Click to expand...

Researchers at SentinelOne warn about a severe privilege escalation flaw affecting all Windows systems, which is reportedly not in Microsoft’s patching plans. According to the detailed write-up of the Italian researchers who have made the discovery, it is practically possible to trigger an authenticated RPC/DCOM call and relay the NTLM authentication to other protocols, launching a man-in-the-middle (MITM) attack and capture everything that flies back and forth.

For this to work, it would be enough for the attacker to be a low-privileged user with limited rights on the target machine.
Click to expand...

If you’re wondering why Microsoft isn’t planning to fix this, the official explanation is that “Servers must defend themselves against NTLM relay attacks,” so the software giant finds this to be outside the scope of its responsibility.
Click to expand...

EASTER · Apr 27, 2021

Along with other existing "outside the scope of its responsibility" vulnerabilities already known and yet undiscovered.
What a champ of a Tech Company.

Floyd 57 · Apr 28, 2021

Apparently this has been known for a year?

https://www.reddit.com/r/netsec/comments/ghpdxn/no_more_juicypotato_old_story_welcome_roguepotato/
https://www.reddit.com/r/blackhat/comments/ghqv9c/no_more_juicypotato_old_story_welcome_roguepotato/

11 months.

https://github.com/antonioCoco/RoguePotato

The official blog https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/ says 11/5, so almost a year.

I sent an email to 0patch to ask em. Normally they do not respond to free customers, but Im lucky I guess. Will update when they respond

Floyd 57 · Apr 29, 2021

Hmm apparently, they might not have known of this. Or they are still trying to figure it out? Unlikely, been a year now.

Also he asks me if i'm affected, but as far as I understand, isn't everyone

Log in or Sign up

There’s a Severe Privilege Escalation Vulnerability in Windows RPC Protocol That Microsoft Won’t Fix

guest Guest

EASTER Registered Member

Floyd 57 Registered Member

Floyd 57 Registered Member

Log in or Sign up

There’s a Severe Privilege Escalation Vulnerability in Windows RPC Protocol That Microsoft Won’t Fix

guest Guest

EASTER Registered Member

Floyd 57 Registered Member

Floyd 57 Registered Member

Useful Searches