The vulnerability, named RemotePotato0 Sentinel LABS by researcher Antonio Cocomazzi and independent researcher Andrea Pierini, who found and disclosed it in April 2021, is a zero-day flaw (by Microsoft’s own definition) that has not yet received a CVE. .ID after Redmond’s refusal to issue a correction.
This threat allows attackers to trigger authenticated RPC/DCOM calls and forward NTLM authentication to other protocols, allowing them to elevate privileges to the domain administrator, possibly allowing a full domain compromise.
Notably, this peer allows a limited-privileged login to launch one of several special-purpose applications in the session of any other user currently logged in to the same computer and have that application send that user’s NTLM hash to an IP address chosen by the attacker.
By intercepting an NTLM hash of a domain administrator, the attacker can create his own request for the domain controller by posing as that administrator and perform some administrative actions, such as joining the domain administrators group, while the attackers trick the home users with administrator privileges to log in at the time of the attack to successfully exploit.
Notably, researchers say this is much easier on Windows Server systems as multiple users are logged in at the same time, including administrators, which removes social engineering requirements so this vulnerability will be seen more on Windows servers.
