/MicrosoftWontFixList

A list of vulnerabilities or design flaws that Microsoft does not intend to fix. Since the number is growing, I decided to make a list. This list covers only vulnerabilities that came up in July 2021 (and SpoolSample ;-))

BSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

Microsoft Wont-Fix-List (July 2021 Edition)


02.08.2021 - Update: thank you all for your feedback :-) This list was intended to be a summary of what happend in July 2021 and I decided I'll keep it that way, because I honestly think I don't have the energy to maintain an up-to-date list of ALL won't fixes Microsoft has to offer. So I'll keep this remark here for clarity and change the description.


A list of vulnerabilities or design flaws Microsoft does not intend to fix. Since the number is growing, I decided to make a list.

LPE = Local Privilege Escalation
DPE = Domain-wide Privilege Escalation
RCE = Remote Code Execution

Vulnerability CVE Attack Type It's NTLM again, right? How it works in a nutshell
SpoolSample works as designed Coerce authentication,
Coerce target: other computer or localhost,
LPE
yes SpoolSample abuses a functionality of the MS-RPRN (the print system remote protocol) to coerce target A to authenticate to a destination of the attackers choosing (target B). This destination usually is another host running an NTLM relay tool (like ntlmrelayx or inveigh), which in turn relays the target A to the final target, target C. The permissions of target A are then used to execute stuff (e.g. make me domain admin, configure RBCD, add a user, etc...) on target C. A common example of target C is the LDAP service of a domain controller.

Update: I just learned that this can also be abused for local privilege escalation. Have a look at the second link.

https://github.com/leechristensen/SpoolSample
https://twitter.com/tifkin_/status/1420076325151272960
PetitPotam works as designed Coerce authentication, Coerce target: other computer yes PetitPotam is similar to SpoolSample but uses another protocol (MS-EFSRPC). Another benefit of PetitPotam is that you can force the protocol target A uses to authenticate to target B (see SpoolSample explanation) to HTTP. However for this to work, the WebClient service needs to run on target A, which might be not a big deal on clients but the service is not installed by default on servers. So as far as I understand, you're probably stuck with SMB when it comes to servers. @tifkin_ explains this nicely in a twitter thread (see references), so maybe have a look at that.

Update: I just learned that this can also be abused for local privilege escalation. Have a look at the third link.

https://github.com/topotam/PetitPotam
https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
https://twitter.com/tifkin_/status/1418855927575302144
https://twitter.com/tifkin_/status/1420076325151272960
RemotePotato0 works as designed Coerce Authentication, Coerce target: different user logged in on same machine as attacker yes This attack can coerce authentication from another user session on the attackers machine to an attacker-controlled target. Common scenario would be: unprivileged attacker is logged onto a machine. privileged user logs onto that machine with RDP. attacker triggers authentication in the privileged session to another, attacker-controlled host. From thereon it's classic NTLM relay again.

https://github.com/antonioCoco/RemotePotato0
SeriousSAM CVE-2021-36934 LPE Kind of Due to weak default ACLs on the SAM and SYSTEM files, these files can be accessed by unprivileged users through volume shadow copies. Sidenote: there's a read lock on the SAM file while in use, therefore you need the volume shadow copy access path cause you can't read it directly. An unprivileged user can extract the local admin's password hash and use this to elevate local privileges. This could be done using PTH from another host or if you already have control over a process running as Local Service/Network Service then you could use @shitsecure's tool (see 3rd link). They will definitely fix this but I guess we will be stuck with the insecure shadow copies.

https://twitter.com/jonasLyk/status/1417205166172950531
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH
PrintNightmare CVE-2021-1675(RCE), CVE-2021-34527(RCE), CVE-2021-34481(LPE) RCE and LPE No A vulnerability in the print spooler allows an attacker to introduce a malicious DLL that will be executed by the spooler service. This can be used for remote code execution as well as local privilege escalation.
I assume they will actually fix these since CVEs are assigned. Furthermore, I am of the opinion that the printer spooler needs to lose its SYSTEM rights!

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://twitter.com/gentilkiwi/status/1416429891592011781
https://github.com/cube0x0/CVE-2021-1675
ADCS - ESC8 works as designed DPE Hell yeah The web interface of the Active Directory Certificate Services allows NTLM authentication by default and does not enforce relay mitigations (also by default). Therefore you can relay an authentication to that webinterface and request a certificate in the name of the relayed account. E.g. you relay the DC (using PetitPotam for example) and get a DC certificate.

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb#rpc-to-rce-steps