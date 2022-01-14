All popular versions of Windows are vulnerable to one make it 0-day known as RemotePotato0, which allows an attacker to scale up his access level until he obtains the permissions of the domain administrator.

Discovered by the researchers of SentinelOne Antonio Cocomazzi and Andrea Pierini last April, the bug still does not have an official fix (according to BleepingComputer, Microsoft itself refused to offer it). They are available, for, different unofficial patches that fix RemotePotato0.

RemotePotato0 finally has a fix (albeit unofficial)

The flaw is based on an NTLM relay attack, which allows the attacker to trigger authenticated calls via RPC / DCOM. By forwarding NTLM authentication through other protocols, it is possible to obtain elevated permissions on the targeted domain, essentially becoming the domain administrators themselves.

0-patch co-founder Mitja Kolsek described the attack like this, on the official blog:

“[La falla] allows an attacker who is logged on with limited privileges to start one of several malicious applications in the session of any other user who is logged on to the same computer at the same time and have the application send the user’s NTLM hash to an IP address chosen by the attacker. By intercepting an NTLM hash from a domain administrator, the attacker can create his own request for the domain controller by pretending to be that administrator and perform some administrative actions such as joining the Domain Administrators group. “

NTLM (Windows NT LAN Manager) an old authentication protocol, which has Kerberos as its successor. However, it is a commonly used system, despite being obsolete: for this reason Microsoft may have refused to develop a patch to solve RemotePotato0, recommending instead of disable NTLM or configure Windows servers to autonomously block NTLM relay attacks. The decision, although justifiable, is risky because it is an exploit that does not require the interaction of the victim.

How to solve it, then, if you don’t want to give up NTLM? The only one, waiting for a different response from the Redmond company, is to create a 0patch account and install 0patch Agent, a platform designed to solve problems on software and services that are no longer supported. There 0patch for RemotePotato0 available for all versions of Windows from Windows 7 to Windows 10, and also from Windows Server 2008 up to Windows Server 2019.

