18.9 C
London
Wednesday, September 4, 2024

Hackers Can Exploit ‘Compelled Authentication’ to Steal Home windows NTLM Tokens


Nov 28, 2023NewsroomCyber Assault / Vulnerability

Hackers Can Exploit ‘Compelled Authentication’ to Steal Home windows NTLM Tokens

Cybersecurity researchers have found a case of “compelled authentication” that might be exploited to leak a Home windows person’s NT LAN Supervisor (NTLM) tokens by tricking a sufferer into opening a specifically crafted Microsoft Entry file.

The assault takes benefit of a respectable characteristic within the database administration system answer that permits customers to hyperlink to exterior knowledge sources, similar to a distant SQL Server desk.

“This characteristic might be abused by attackers to routinely leak the Home windows person’s NTLM tokens to any attacker-controlled server, through any TCP port, similar to port 80,” Examine Level safety researcher Haifei Li stated. “The assault might be launched so long as the sufferer opens an .accdb or .mdb file. In truth, any more-common Workplace file kind (similar to a .rtf ) can work as effectively.”

Cybersecurity

NTLM, an authentication protocol launched by Microsoft in 1993, is a challenge-response protocol that is used to authenticate customers throughout sign-in. Through the years, it has been discovered to be susceptible to brute-force, pass-the-hash, and relay assaults.

The most recent assault, in a nutshell, abuses the linked desk characteristic in Entry to leak the NTLM hashes to an actor-controlled server by embedding an .accdb file with a distant SQL Server database hyperlink within an MS Phrase doc utilizing a mechanism referred to as Object Linking and Embedding (OLE).

NTLM Tokens

“An attacker can arrange a server that they management, listening on port 80, and put its IP handle within the above ‘server alias’ discipline,” Li defined. “Then they’ll ship the database file, together with the linked desk, to the sufferer.”

Ought to the sufferer open the file and click on the linked desk, the sufferer shopper contacts the attacker-controlled server for authentication, enabling the latter to tug off a relay assault by launching an authentication course of with a focused NTLM server in the identical group.

The rogue server then receives the problem, passes it on to the sufferer as a part of the authentication course of, and will get a sound response, which is finally transmitted to the NTLM server.

Cybersecurity

Whereas Microsoft has since launched mitigations for the issue within the Workplace/Entry model (Present Channel, model 2306, construct 16529.20182) following accountable disclosure in January 2023, 0patch has launched unofficial fixes for Workplace 2010, Workplace 2013, Workplace 2016, Workplace 2019, and Workplace 365.

The event additionally comes as Microsoft introduced plans to discontinue NTLM in Home windows 11 in favor of Kerberos for improved safety.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.



Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here