Micropatching the "LocalPotato" NTLM Elevation of Privilege (CVE-2023-21746)

 

January 2023 Windows Updates brought a fix for CVE-2023-21746, a local privilege escalation vulnerability in Windows, called "LocalPotato" by its discoverers  Andrea Pierini and Antonio Cocomazzi. Its name is in reference to many other "potato" vulnerabilities that have been discovered in Windows since 2014 when James Forshaw of Google Project Zero published their analysis of Local WebDAV NTLM Reflection.

The potato vulnerability at hand, "LocalPotato", was reported to Microsoft by Andrea and Antonio and will, now that the official fix has been available for a month, soon be published at https://www.localpotato.com/.

While still-supported Windows systems have already received the official vendor fix for this vulnerability (assuming admins have applied the January 2023 Windows Update), there are many Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patches are logically equivalent to Microsoft's patches for this issue.

Let's see our micropatch in action. With 0patch disabled, the POC launched by a low-privileged user creates a file localpotato.exe in C:\Windows folder. (Of course this means that any other file could have been created, including a DLL that some high-privileged process would gladly load and run code from.) With 0patch enabled, the attack is blocked and no file is created.

Micropatch Availability

The micropatch was written for the following Versions of Windows with all available Windows Updates installed: 

1. Windows 10 v21H1
2. Windows 10 v2004
3. Windows 10 v1909
4. Windows 10 v1809
5. Windows 10 v1803
6. Windows 7 (no ESU, ESU years 1 and 2)
7. Windows Server 2008 R2 (no ESU, ESU years 1 and 2)

 

Note that Windows 7 and Server 2008 R2 with ESU year 3 have received Microsoft's patch with January Updates.

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center. 

We'd like to thank Andrea Pierini and Antonio Cocomazzi for sharing their POC with us which allowed us to create a micropatch before details were released to the public. We also encourage other security researchers to privately share their analyses with us for micropatching.