In the ever-evolving landscape of cybersecurity, vulnerabilities and exploits are discovered that challenge the way we think about security. One such vulnerability is CVE-2023-35636, which has opened up discussions about NTLM v2 hashes and their security implications. This blog post explores what CVE-2023-35636 is, the nature of NTLM v2, and how attackers can exploit these vulnerabilities, specifically focusing on Outlook, URI handlers, WPA, and Windows File Explorer.

TL;DR

CVE-2023-35636 is a recently discovered vulnerability that affects Microsoft Outlook and allows attackers to leak NTLM v2 hashes. This exploit, along with other methods involving URI handlers, WPA, and Windows File Explorer, highlights the need for increased security measures to protect against NTLM v2 hash attacks.

What is CVE-2023-35636?

CVE-2023-35636 is a security vulnerability identified in Microsoft Outlook. This vulnerability can be exploited to leak NTLM v2 hashes without user interaction. It is particularly concerning because it can be exploited remotely, posing a significant risk to users’ sensitive information.

Specifically, this vulnerability is an exploit of the calendar sharing function in Microsoft Outlook. By adding two headers to an email, Outlook is directed to share content and contact a designated machine, creating an opportunity to intercept an NTLM v2 hash.

This vulnerability was released on Dec 12, 20231 and has a CVSS 3.1 base score of 6.5, indicating it’s a medium severity issue. Microsoft has acknowledged this vulnerability and released patches to mitigate it. It’s crucial for users and administrators to apply these updates promptly to protect against potential attacks.

What is NTLM v2?

NTLM (NT LAN Manager) version 2 is an authentication protocol used on Windows networks. It is designed to provide authentication between clients and servers. Despite being an improvement over its predecessor in terms of security, NTLM v2 is still vulnerable to certain types of attacks.

NTLM v2 is part of a family of authentication protocols encompassed in the Windows Msv1_0.dll. The NTLM authentication protocols include LAN Manager version 1 and 2, and NTLM version 1 and 2. These protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account.

NTLM v2 has been available for Windows NT 4.0 since Service Pack 4 (SP4) was released, and it is supported natively in Windows 2000. You can add NTLM v2 support to Windows 98 by installing the Active Directory Client Extensions. After you upgrade all computers that are based on Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0, you can greatly improve your organization’s security by configuring clients, servers, and domain controllers to use only NTLM v2 (not LM or NTLM)1

How can attackers use NTLM v2 hashes?

Attackers can use NTLM v2 hashes in several ways:

1. Offline Brute-Force Attacks: Attackers can use brute-force techniques to crack the hashes and gain access to users’ credentials. This involves trying every possible combination of passwords until the correct one is found.
2. Authentication Relay Attacks: This method involves capturing an NTLM authentication session and relaying it to access a service. The attacker intercepts the NTLM v2 hash and uses it to authenticate on another server, gaining unauthorized access.
3. Pass-the-Hash Attacks: In this type of attack, the attacker uses the hash directly without needing to crack it. Since NTLM v2 hashes are equivalent to plain text passwords on the same network, an attacker can use the hash to authenticate as the user.
4. Dictionary Attacks: Similar to brute-force attacks, but instead of trying all possible combinations, attackers use a list of likely passwords (a “dictionary”).
5. Rainbow Table Attacks: A rainbow table is a precomputed table for reversing cryptographic hash functions. It’s used to crack password hashes, and it’s usually faster than a brute-force attack.

Leaking NTLM v2 hashes using Outlook:

The Outlook exploit:

By crafting a malicious email that triggers the automatic retrieval of a remote resource, attackers can exploit CVE-2023-35636 to leak NTLM v2 hashes from the victim’s computer.

1. Crafting the Email: The attacker crafts a malicious email that includes a request for a remote resource. This could be an image, a document, or any other type of file that can be hosted on a server.
2. Sending the Email: The attacker sends this email to the victim. The email is designed in such a way that when Outlook processes the email, it automatically attempts to retrieve the remote resource.
3. Leaking the Hash: As part of this retrieval process, Outlook sends an NTLM v2 hash to authenticate with the server. If the server is controlled by the attacker, this hash is effectively leaked.
4. Exploiting the Hash: The attacker can then use this hash in various ways, such as cracking it to obtain the user’s credentials or using it in pass-the-hash or relay attacks.

Leaking NTLM v2 hashes using URI handlers and WPA

The WPA exploit

Attackers can use specially crafted URI handlers in conjunction with WiFi Protected Access (WPA) vulnerabilities to trick systems into initiating NTLM authentication processes, thereby leaking NTLM v2 hashes.

Attack scenario

An attacker sets up a malicious WiFi network. When a victim’s device connects to it and requests resources (e.g., through a malicious link), the device inadvertently leaks NTLM v2 hashes to the attacker.

Leaking NTLM v2 hashes using Windows File Explorer

The Windows File Explorer exploits

Similar to the Outlook exploit, attackers can craft files that, when accessed or previewed in Windows File Explorer, trigger the automatic retrieval of remote resources and leak NTLM v2 hashes.

Attack scenario

A user downloads a file from a phishing email or malicious website. Simply previewing the file in Windows File Explorer can trigger the NTLM v2 hash leak.

A familiar pattern

The common theme across these methods is the exploitation of automatic resource retrieval in various applications to leak NTLM v2 hashes. This indeed underscores the importance of scrutinizing automatic network requests made by applications.

In essence, these vulnerabilities take advantage of the fact that certain applications, when processing data, will automatically attempt to retrieve remote resources. This behavior can be exploited to trick the application into initiating an NTLM authentication process with a server controlled by an attacker, thereby leaking the NTLM v2 hash.

This pattern highlights a crucial aspect of cybersecurity: understanding the behavior of the systems we use and the implications of their features. It’s a reminder that security isn’t just about protecting against known threats, but also about understanding and managing the behaviors of our systems to mitigate potential vulnerabilities.

Microsoft’s response

1. Security Update: Microsoft released a security update to fix the vulnerability as part of its December 2023 Patch Tuesday updates. The update addresses the vulnerability by correcting how Microsoft Outlook handles requests for resource retrieval.
2. Severity Rating: Microsoft has assigned an ‘important’ severity rating to this vulnerability. The CVSS 3.1 base score for this vulnerability is 6.5, indicating it’s a medium severity issue.
3. User Interaction: According to the CVSS metric, user interaction is required (UI:R). Exploitation of the vulnerability requires that a user open a specially crafted file.
4. Information Disclosure: Exploiting this vulnerability could allow the disclosure of NTLM hashes.

Protecting yourself against NTLM v2 attacks

• Update Your Software: Regularly update your operating system and applications to protect against known vulnerabilities.
• Use Strong Passwords: Strong, unique passwords can help protect against brute-force attacks.
• Enable Network Level Authentication (NLA): NLA requires authentication before a session is established, reducing the risk of relay attacks.
• Disable NTLM If Possible: If your network environment allows, consider disabling NTLM and using a more secure protocol like Kerberos.
• Monitor Network Traffic: Regularly monitor network traffic for unusual activities. This can help detect potential NTLM v2 hash attacks.
• Educate Users: Make sure users are aware of the risks associated with clicking on suspicious links or connecting to unsecured Wi-Fi networks.
• Use a VPN: Encourage users to use a Virtual Private Network (VPN) when accessing the network remotely. This can provide an additional layer of security.

The discovery of CVE-2023-35636 and similar exploits underscores the importance of maintaining robust security practices. By staying informed about vulnerabilities and adopting protective measures, users and organizations can better defend against NTLM v2 hash attacks.

At Maagsoft Inc, we are your trusted partner in the ever-evolving realms of cybersecurity, AI innovation, and cloud engineering. Our mission is to empower individuals and organizations with cutting-edge services, training, and AI-driven solutions. Contact us at contact@maagsoft.com to embark on a journey towards fortified digital resilience and technological excellence.