All variations of Home windows purchasers, from Home windows 7 via present Home windows 11 variations, comprise a 0-day vulnerability that would enable attackers to seize NTLM authentication hashes from customers of affected programs.
Researchers at ACROS Safety reported the flaw to Microsoft this week. They found the problem whereas writing a patch for older Home windows programs for CVE-2024-38030, a medium-severity Home windows Themes spoofing vulnerability that Microsoft mitigated in its July safety replace.
Variant of Two Earlier Vulnerabilities
The vulnerability that ACROS found is similar to CVE-2024-38030 and permits what is named an authentication coercion assault, the place a susceptible system is basically coerced into sending NTLM hashes — the cryptographic illustration of a person’s password — to an attacker’s system. Akamai researcher Tomer Peled found CVE-2024-38030 whereas analyzing Microsoft’s repair for CVE-2024-21320, one other, earlier Home windows themes spoofing vulnerability he found and reported to Microsoft. The flaw that ACROS uncovered is a brand new, separate vulnerability associated to the 2 flaws Peled reported earlier.
Home windows themes information enable customers to customise the looks of their Home windows desktop interface through wallpapers, display savers, colours, and sounds. Each the vulnerabilities that Akamai researcher Peled found needed to do with the style during which the themes dealt with file paths to a few picture sources, particularly “BrandImage” or “Wallpaper.” Peled discovered that due to improper validation, an attacker may manipulate the official path to those sources in such a method as to get Home windows to mechanically ship an authenticated request, together with the person’s NTLM hash, to the attacker’s system.
As Peled explains to Darkish Studying, “The themes file format is an .ini file, with a number of ‘key,worth’ pairs. I initially discovered two key,worth pairs that would settle for file paths,” he says.
The unique vulnerability (CVE-2024-21320) stemmed from the truth that the important thing,worth pairs accepted UNC paths — a standardized format for figuring out community sources like shared information and folders — for community drives, Peled notes. “This [meant] {that a} weaponized theme file, with a UNC path, may set off an outbound reference to person authentication, with out them figuring out.” Microsoft mounted the problem by including a test on the file path to make sure it wasn’t a UNC path. However, Peled says, the perform Microsoft used for this validation allowed for some bypasses, which is what led to Peled’s discovery of the second vulnerability (CVE-2024-38030).
Microsoft Will Act ‘As Wanted’
What ACROS Safety reported this week is the third Home windows themes spoofing vulnerability rooted in the identical file path difficulty. “Our researchers found the vulnerability in early October whereas writing a patch for CVE-2024-38030 meant for legacy Home windows programs lots of our customers are nonetheless utilizing,” says Mitja Kolsek, CEO of ACROS Safety. “We reported this difficulty to Microsoft [on] Oct. 28, 2024, however we didn’t launch particulars or a proof-of-concept, which we plan to do after Microsoft has made their very own patch publicly obtainable.”
A Microsoft spokesman mentioned through e mail the corporate is conscious of the ACROS report and “will take motion as wanted to assist hold clients protected.” The corporate doesn’t seem to have issued a CVE, or vulnerability identifier, for the brand new difficulty but.
Like the 2 earlier Home windows themes spoofing vulnerabilities that Akamai found, the brand new one which ACROS discovered additionally doesn’t require an attacker to have any particular privileges. “However they need to by some means get the person to repeat a theme file to another folder on their pc, then open that folder with Home windows Explorer utilizing a view that renders icons,” Kolsek says. “The file may be mechanically downloaded to their Downloads folder whereas visiting [an] attacker’s web site, during which case the attacker must look forward to the person to view the Downloads folder at a later time.”
Kolsek recommends that organizations disable NTLM the place potential, however acknowledges that doing so may trigger purposeful issues if any community parts depend on it. “[An] attacker may solely efficiently goal a pc the place NTLM is enabled,” he says. “One other requirement is {that a} request initiated by a malicious theme file would be capable to attain the attacker’s server on the Web or in an adjoining community,” one thing that firewalls ought to sometimes block, he says. In consequence, it is extra seemingly than an attacker would attempt to exploit the flaw in a focused marketing campaign extra so than in a mass exploit.
Akamai’s Peled says it is onerous to know what ACROS’s vulnerability is about with out getting access to the technical particulars. “Nevertheless it is likely to be one other UNC bypass that circumvents the test, or it might be a special key,worth pair that was missed within the authentic patching,” he says. “UNC path codecs are very advanced and permit for bizarre combos, which make detecting them very onerous. This is likely to be why it is so advanced to repair.”
