Recurring Windows Flaw Could Expose User Credentials

All variations of Home windows purchasers, from Home windows 7 by way of present Home windows 11 variations, include a 0-day vulnerability that would enable attackers to seize NTLM authentication hashes from customers of affected techniques.

Researchers at ACROS Safety reported the flaw to Microsoft this week. They found the problem whereas writing a patch for older Home windows techniques for CVE-2024-38030, a medium-severity Home windows Themes spoofing vulnerability that Microsoft mitigated in its July security update.

Variant of Two Earlier Vulnerabilities

The vulnerability that ACROS discovered is similar to CVE-2024-38030 and allows what is named an authentication coercion assault, the place a weak gadget is actually coerced into sending NTLM hashes — the cryptographic illustration of a person’s password — to an attacker’s system. Akamai researcher Tomer Peled discovered CVE-2024-38030 whereas analyzing Microsoft’s repair for CVE-2024-21320, one other, earlier Home windows themes spoofing vulnerability he discovered and reported to Microsoft. The flaw that ACROS uncovered is a brand new, separate vulnerability associated to the 2 flaws Peled reported earlier.

Home windows themes recordsdata enable customers to customise the looks of their Home windows desktop interface by way of wallpapers, display savers, colours, and sounds. Each the vulnerabilities that Akamai researcher Peled found needed to do with the way through which the themes dealt with file paths to a few picture sources, particularly “BrandImage” or “Wallpaper.” Peled discovered that due to improper validation, an attacker may manipulate the reputable path to those sources in such a approach as to get Home windows to mechanically ship an authenticated request, together with the person’s NTLM hash, to the attacker’s gadget.

As Peled explains to Darkish Studying, “The themes file format is an .ini file, with a number of ‘key,worth’ pairs. I initially discovered two key,worth pairs that would settle for file paths,” he says.

The unique vulnerability (CVE-2024-21320) stemmed from the truth that the important thing,worth pairs accepted UNC paths — a standardized format for figuring out community sources like shared recordsdata and folders — for community drives, Peled notes. “This [meant] {that a} weaponized theme file, with a UNC path, may set off an outbound reference to person authentication, with out them figuring out.” Microsoft fastened the problem by including a test on the file path to make sure it wasn’t a UNC path. However, Peled says, the operate Microsoft used for this validation allowed for some bypasses, which is what led to Peled’s discovery of the second vulnerability (CVE-2024-38030).

Microsoft Will Act ‘As Wanted’

What ACROS Safety reported this week is the third Home windows themes spoofing vulnerability rooted in the identical file path situation. “Our researchers found the vulnerability in early October whereas writing a patch for CVE-2024-38030 meant for legacy Home windows techniques lots of our customers are nonetheless utilizing,” says Mitja Kolsek, CEO of ACROS Safety. “We reported this situation to Microsoft [on] Oct. 28, 2024, however we didn’t launch particulars or a proof-of-concept, which we plan to do after Microsoft has made their very own patch publicly obtainable.”

A Microsoft spokesman mentioned by way of e mail the corporate is conscious of the ACROS report and “will take motion as wanted to assist preserve prospects protected.” The corporate doesn’t seem to have issued a CVE, or vulnerability identifier, for the brand new situation but.

Like the 2 earlier Home windows themes spoofing vulnerabilities that Akamai found, the brand new one which ACROS discovered additionally doesn’t require an attacker to have any particular privileges. “However they should one way or the other get the person to repeat a theme file to another folder on their laptop, then open that folder with Home windows Explorer utilizing a view that renders icons,” Kolsek says. “The file is also mechanically downloaded to their Downloads folder whereas visiting [an] attacker’s web site, through which case the attacker must look ahead to the person to view the Downloads folder at a later time.”

Kolsek recommends that organizations disable NTLM the place potential, however acknowledges that doing so may trigger purposeful issues if any community parts depend on it. “[An] attacker may solely efficiently goal a pc the place NTLM is enabled,” he says. “One other requirement is {that a} request initiated by a malicious theme file would be capable of attain the attacker’s server on the Web or in an adjoining community,” one thing that firewalls ought to usually block, he says. In consequence, it is extra possible than an attacker would attempt to exploit the flaw in a focused marketing campaign extra so than in a mass exploit.

Akamai’s Peled says it is exhausting to know what ACROS’s vulnerability is about with out accessing the technical particulars. “Nevertheless it is perhaps one other UNC bypass that circumvents the test, or it may very well be a distinct key,worth pair that was missed within the unique patching,” he says. “UNC path codecs are very advanced and permit for bizarre combos, which make detecting them very exhausting. This is perhaps why it is so advanced to repair.”