There is a new security flaw affecting the widely-used Windows versions dubbed RemotePotato0. The flaw has no CVE tracking ID because Microsoft refuses to fix it. But the third-party zero-day security solution company 0patch has released an update on its software to fix the vulnerability.
The potato is around for a while
RemotePotato0 was first discovered 9 months ago; on April 2021 by SentinelOne researchers. The vulnerability allows attackers with standard privileges to elevate their account to higher tiers, like Admin. Converting a standard account to admin opens the door to endless possibilities of attack surfaces, which makes it a very important and dangerous flaw.
0patch has shown the attack and its mitigation via software with a video. In the first part of the video, you can see the user is a standard domain user. After the deployment of the RemotePotato0.exe file via command lines, the standard domain user also becomes an enterprise admin. In the second half of the video, 0patch shows their software denying this process.
Mitja Kolsek, co-founder of 0patch said:
« RemotePotato0 flaw allows a logged-in low-privileged attacker to launch one of several special-purpose applications in the session of any other user who is also currently logged in to the same computer, and make that application send said user’s NTLM hash to an IP address chosen by the attacker. Intercepting an NTLM hash from a domain administrator, the attacker can craft their own request for the domain controller pretending to be that administrator and perform some administrative action such as adding themselves to the Domain Administrators group. »
Microsoft’s refusal of the fix for the flaw is somehow understandable. Windows NT Lan Manager (NTLM) is an old protocol and seems like Microsoft wants to abandon it. NTLM is still used generally for backward compatibility. Microsoft advises users to disable it if it is not needed. However, the protocol is still being commonly used on several Windows versions, including Windows 7 and Windows 10.