Description
For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities.
This special case of NTLM authentication relay has historically led to local privilege escalation or even remote command execution, although with some limitations.
Over time, mitigations against this class of vulnerability were implemented, leading to a false assumption that NTLM reflection attacks were relics of the past.
This presentation will shatter that assumption by covering the research that led to the discovery of CVE-2025-33073, a logical vulnerability leading to authenticated RCE as SYSTEM on almost any Windows machine and without any user interaction.
In this talk, fundamental concepts about authentication relay attacks will be explained, as well as the context surrounding the research and the accidental discovery of the vulnerability.
Afterwards, a methodical investigation of the root cause of the vulnerability will be presented, first by analysing network captures and then by performing a thorough reverse-engineering of LSASS internals and its NTLM authentication provider.
Subsequently, we will shift our attention to Kerberos, where we will demonstrate that CVE-2025-33073 is not restricted to NTLM and that it also affects Kerberos.
After a brief reminder of the protocol, in-depth insights in its integration within LSASS will be discussed as well as an undocumented behavior, to understand why this vulnerability also applies to Kerberos.
Finally, the patch analysis will be presented.
We will detail how it fixes the specific attack vector described in this presentation and how it may not be enough to completely eradicate this class of vulnerability.
We will conclude by explaining how the exploitation of this vulnerability could have been prevented even before it was found and the current state Windows machine hardening.
