10 years of Windows Privilege Escalation with "Potatoes"

In this talk, we will present our journey into the discovery of our Windows “*Potato” exploits, including RoguePotato, RemotePotato0, JuicyPotatoNG , LocalPotato ,ADCSCoercePotato aka SilverPotato and finally the FakePotato. We’ll delve into the vulnerabilities, the fixes, and the bypasses of those fixes, unfolding an intricate story of how a single unfixed bug has led to a long-running history of local and domain privilege escalation vulnerabilities on Windows systems.

Back in early 2014, a new privilege escalation vulnerability was publicly disclosed, detailing a new way of performing a local NTLM reflection attack leveraging a DCOM trigger. Since then, a new Pandora’s box has been opened, starting the “dynasty” of a series of exploits known as “Potatoes”. Each exploit in this series relies on the DCOM trigger as its core exploitation method. Most of these exploits allow an attacker to break the WSH (Windows Service Hardening) boundary, enabling privilege escalation from a limited service to SYSTEM: a common scenario when dealing with web services like IIS or MSSQL. Interestingly, Microsoft does not consider WSH a security boundary but rather a safety boundary; for this reason, many Potato exploits work (and have been working) on fully updated Windows systems. Moreover, recent iterations of the Potato exploits enable privilege escalation even from an unprivileged user, eliminating the prerequisite of running as a service. Among these, our Potato exploit, LocalPotato (also known as CVE-2023-21746), stands out. But this technique can also be abused from remote. It is possible to trigger remotely a potato exploit, the SilverPotato, and perform a domain privilege escalation by coercing the authentication of a high privileged Computer account or a tier 0 user such as the Domain Administrator. This one is still in review by MSRC. Then comes the FakePotato, a technique that diverges from the traditional approach. It’s currently under review by MSRC too.