Another Critical Active Directory Certificate Services NTLM Relay Vulnerability allows for Domain Takeover (DFSCoerce, Critical)

Reading Time: 3 minutes

This week, new Proof of Concept code was publicly published to coerce a Certificate Authority (CA) to authenticate the domain controller using NTLM. This vulnerability was named DFSCoerce and has been published by Filip Dragovic. It is another vulnerability in the PetitPotam (or PrintNightmare) family of vulnerabilities, and is as difficult to mitigate as former members of this family.

The PetitPotam family of vulnerabilities

PetitPotam is a fictional hippopotamus, living with his family in the village of Barbotam. He is the hero of a series of books, published between 1967 and 1987. When security researcher Gilles Lionel (aka Topotam) disclosed the attack vector in July 2021, the reference to the hippopotamus was happily made, unknowing that the vulnerability would indeed turn out to be a colossal factor in discovering and disclosing many other critical vulnerabilities. A hippopotamus, not just by name…

The attack vector is a seven stage attack:

  1. Trigger NTLM authentication to a domain controller
  2. Use (or similar tool) to relay to Active Directory Certificate Services (AD CS)
  3. Obtain a certificate by coercing the Certificate Authority (CA) to authenticate the domain controller using NTLM
  4. Import the certificate into kekeo (or similar tool) and request a Ticket Granting Ticket (TGT)
  5. Use mimikatz to perform a DCSync attack.
  6. Dump the LSA secret for the built-in domain administrator or krbtgt account.
  7. Use wmiexec to perform a Pass-the-Hash attack

This attack allows for instant Privilege Escalation from low privileged user to domain administrator.

Most of these steps and tools have been common practices for security researchers and penetration testers. However, based on the research from @harmj0y and @tifkin_ on AD CS labelled ESC8 for step 2 and the MS-RPRN exploit from the Print Nightmare family of vulnerabilities, Gilles Lionel publicly showed something new with PetitPotam (CVE-2021-36942) for step 3. He abused the EFSRPC protocol and its EfsRpcOpenFileRaw function to coerce the CA to authenticate the domain controller.

Where the Print Nightmare family of vulnerabilities was fairly easy to mitigate in environments by disabling the Print Spooler service everywhere, PetitPotam seems to give admins more headaches, because of the sheer configuration changes needed to implement the Microsoft recommended mitigations as part of KB5005413.

Since Print Nightmare, several other security researchers have shared research on ways to perform step 3:

  • PrintNightmare (CVE-2021-1675 and CVE-2021-34527) by Zhipeng Huo, Piotr Madej, Yunhai Zhang, Zhiniang Peng, Xuefeng Li and others, abusing the MS-RPRN protocol
  • PetitPotam (CVE-2021-36942) by Gilles Lionel, abusing the MS-EFSRPC protocol
  • ShadowCoerce by Charlie Bromberg, abusing the MS-FSRVP protocol
  • DFSCoerce by Filip Dragovic, abusing the MS-DFSNM protocol

The latest in this list is DFSCoerce by Filip Dragovic.

Mitigating DFSCoerce and other NTLM Relay attacks to Certification Authorities

Against the DFSCoerce vulnerability, Microsoft refers to the information in KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) as the steps in that document prevent steps 1-3 of the attack vector:

  1. Enabling Extended Protection for Authentication (EPA) on the Certificate Authority Web Enrollment and Certificate Enrollment Web Service websites on Windows Server installations running Active Directory Certificate Services (AD CS), and;
  2. Requiring the use of HTTPS within IIS on Windows Server installations running Active Directory Certificate Services (AD CS).

As an additional mitigation, Microsoft recommends to disable NTLM on domain controllers, Certification Authorities and for IIS on these Certification Authorities.

Call to action

When the previous vulnerabilities in the PetitPotam (or PrintNightmare) family of vulnerabilities haven’t spurred you to action yet, then let this 4th vulnerability be your wake-up call.

It’s time to securely configure your Active Directory Certificate Services (AD CS) installations and to start thinking about detecting legitimate uses of NTLM within your organization and disabling NTLM everywhere else.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.