Cybersecurity researchers have uncovered a scenario of “compelled authentication” that could be exploited to leak a Windows user’s NT LAN Manager (NTLM) tokens by tricking a victim into opening a specially crafted Microsoft Access file.
The attack will take edge of a respectable aspect in the databases management method solution that will allow users to link to external info resources, this sort of as a remote SQL Server table.
“This element can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-managed server, by means of any TCP port, this kind of as port 80,” Check Stage security researcher Haifei Li stated. “The attack can be released as extended as the sufferer opens an .accdb or .mdb file. In fact, any a lot more-typical Business file form (this kind of as a .rtf ) can function as properly.”
NTLM, an authentication protocol introduced by Microsoft in 1993, is a problem-response protocol which is employed to authenticate end users during indicator-in. Over the many years, it has been uncovered to be susceptible to brute-power, go-the-hash, and relay assaults.
The latest attack, in a nutshell, abuses the joined table aspect in Obtain to leak the NTLM hashes to an actor-managed server by embedding an .accdb file with a remote SQL Server database website link inside of of an MS Term doc using a mechanism called Object Linking and Embedding (OLE).
“An attacker can set up a server that they command, listening on port 80, and put its IP tackle in the previously mentioned ‘server alias’ industry,” Li stated. “Then they can ship the databases file, including the joined desk, to the target.”
Ought to the victim open the file and click the joined table, the victim shopper contacts the attacker-managed server for authentication, enabling the latter to pull off a relay attack by launching an authentication process with a specific NTLM server in the same group.
The rogue server then gets the obstacle, passes it on to the sufferer, and will get a valid response, which is eventually transmitted to the sender that difficulties the CV as aspect of the attacker-managed CV↔ SA authentication procedure receives legitimate reaction and then passes that response to the NTLM server.
Even though Microsoft has since introduced mitigations for the problem in the Business/Obtain model (Present-day Channel, version 2306, create 16529.20182) next accountable disclosure in January 2023, 0patch has introduced unofficial fixes for Workplace 2010, Workplace 2013, Workplace 2016, Workplace 2019, and Office environment 365.
The improvement also arrives as Microsoft introduced plans to discontinue NTLM in Windows 11 in favor of Kerberos for enhanced security.
Uncovered this post interesting? Comply with us on Twitter and LinkedIn to study far more special information we post.
Some parts of this article are sourced from:
thehackernews.com