Microsoft fixed a serious vulnerability that could allow attackers to steal Windows NTLM password hashes without any user interaction.
The tech giant patched the issues only for recent versions Windows (Windows 10 and Server 2016), to trigger the flaw the attacker just needs to do is to place a specially crafted Shell Command File (SCF file) inside publicly accessible Windows folders.
Once the attacker has placed the file in the folder, it executes due to the security issue, gathers the machine NTLM password hash, and sends it back to the attacker’s server.
Then the attacker can easily crack the NTLM password hash to access the victim’s computer. The hack was reported to Microsoft in May by the Columbian security researcher Juan Diego.
“It is a known issue that Microsoft NTLM architecture has some failures, hash stealing is not something new, it is one of the first things a pentester tries when attacking a Microsoft environment. But, most of these techniques require user intervention or traffic interception to fulfill the attack.” wrote Juan Diego.
“These new attacks require no user interaction, everything is done from the attacker’s side, but of course, there are some conditions that need to be met to be successful with this attack.”
Older Windows versions remain vulnerable because the registry modifications are not compatible with older versions of the Windows Firewall.
“Accordingly to Microsoft, all Windows versions since 3.11 till Windows 10, Desktop and server are vulnerable to this kind of attack.” explained Diego.
“Honestly, I have only tested on Windows 7 and Windows 10, then I passed the ball to Microsoft ?”
The good news is that the hack doesn’t work against machines with shared folders that are protected by a password, and this is the default option in Windows limiting the extent of the vulnerability.
Nonetheless, in many cases the Windows users need to share folders without a password according to their needs, opening their systems for attacks.
Be careful, the ADV170014 is an optional patch, installing it is highly recommended.
Diego was not able to detail why the attack was possible, in previously known attacks leveraging SCF files, in order to trigger the flaw, the victim should have had access the folder.
In the attack scenario detailed by Diego, the SCF files are executed just after the attacker place it in the shared folder without needing user’s interaction.
According to Bleepingcomputers.com, Microsoft acknowledged another security researcher, Stefan Kanthak, for reporting the issue.
“While Diego has reported his attack to Microsoft, it was German researcher Stefan Kanthak who got an acknowledgment from Microsoft for the fixed issue, as he too reported similar bugs in March 2017.” reported Bleeping computer.
“Microsoft did (as every so often) a POOR job, the updates published this month close only 2 of the 6 distinct weaknesses I reported,” Kanthak told Bleeping via email, hinting that more ways to exploit pass-the-hash attacks exist.
Let me close with mitigation provided by Diego:
“Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.
Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.” suggested the expert.
“My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.
The better approach, don’t share folders without passwords, that’ll do the trick.”
(Security Affairs – Windows login credentials, hacking)