PoC Exploit for Windows NTLM Privilege Escalation Flaw (CVE-2023-21746) Published

by do son · Published February 13, 2023 · Updated November 4, 2023

A proof-of-concept (PoC) exploit related to an NTLM elevation of privilege vulnerability affecting Windows and patched by Microsoft last month was published online.

Identified as CVE-2023-21746, Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the NTLM component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in its advisory.

Last week, two security researchers Andrea Pierini & Antonio Cocomazzi announced the release of PoC exploits code targeting the CVE-2023-21746 vulnerability.

“The objective of our research was to intercept a local NTLM authentication as a non-privileged local or domain user, and “swap” the contexts (NTLM “Reserved” field) with that of a privileged user (e.g. by coercing an authentication),” the researcher wrote.

“This would allow us to authenticate against a server service with these credentials, effectively exchanging the identity of our low-privileged user with a more privileged entity like SYSTEM. If successful, this would indicate that there are no checks in place to validate the Context exchanged between the two parties involved in the authentication.“

Published on GitHub, the PoC exploit for CVE-2023-21746 could allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines, eventually allowing the attacker to gain full control of the machine.

The vulnerability is a type of NTLM reflection attack that targets local authentication. This attack allows for arbitrary file read/write and elevation of privilege.

Microsoft said it was not aware of any exploits in the wild for any of the issues addressed in this batch of updates and urged users to apply the January Patch immediately.

Update on November 4

The LocalPotato attack is a type of NTLM reflection attack that targets local authentication. This attack allows for arbitrary file read/write and elevation of privilege.

NOTE: The SMB scenario has been fixed by Microsoft in the January 2023 Patch Tuesday with the CVE-2023-21746. If you run this exploit against a patched machine it won’t work.

NOTE2: The HTTP/WebDAV scenario is currently unpatched (Microsoft decision, we reported it) and works on updated systems.