Labels

Sunday, January 24, 2016

Hot Potato Exploit Gives Attackers the Upper Hand in Multiple Windows Versions by Catalin Cimpanu



By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into almost all of Microsoft's recent versions of Windows.
The exploit, named Hot Potato, relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000.
All of these security flaws have been left unpatched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.

Hot Potato is made up of three different exploits

The three security problems that form the Hot Potato exploit are a local NBNS (NetBIOS Name Service) spoofing technique that's 100% effective, a flaw which allows attackers to set up fake WPAD (Web Proxy Auto-Discovery Protocol) proxy servers, and an attack against the Windows NTLM (NT LAN Manager) authentication protocol.
Going through these exploits one by one may take attackers from minutes to days, but if successful, the attacker can elevate an application's permissions from the lowest rank to system-level privileges, the Windows analog for a Linux/Android root user's permissions.
Foxglove researchers created their exploit on top of a proof-of-concept code released by Google's Project Zero team in 2014 and have presented their findings at the ShmooCon security conference over the past weekend. They've even posted their exploit code onGitHub.

Hot Potato can be used against multiple Windows versions

Additionally, some proof-of-concept videos were also uploaded on YouTube, and you can see the researchers break Windows versions such as 7, 8, 10, Server 2008 and Server 2012.
Researchers say that enabling "Extended Protection for Authentication" in Windows should stop the last stage of their exploit, the NTLM relay attack.
Using SMB (Server Message Block) signing may theoretically block the attack, but they have not properly investigated this mitigation technique.

No comments:

Post a Comment