Recurring Windows Flaw Could Expose User Credentials

  /     /     /  
Publicated : 23/11/2024   Category : security

Recurring Windows Flaw Could Expose User Credentials


Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.


All versions of Windows clients, from Windows 7 through current Windows 11 versions, contain a 0-day vulnerability that could allow attackers to capture NTLM authentication hashes from users of affected systems.
Researchers at ACROS Security reported the flaw to Microsoft this week. They discovered the issue while writing a patch for older Windows systems for
CVE-2024-38030
, a medium-severity Windows Themes spoofing vulnerability that Microsoft mitigated in its
July security update
.
The vulnerability that
ACROS discovered
is very similar to CVE-2024-38030 and enables what is known as an authentication coercion attack, where a vulnerable device is essentially
coerced into sending NTLM hashes
— the cryptographic representation of a users password — to an attackers system. Akamai researcher Tomer Peled
discovered
CVE-2024-38030 while analyzing Microsofts fix for
CVE-2024-21320
, another, earlier Windows themes spoofing vulnerability
he discovered
and reported to Microsoft. The flaw that ACROS uncovered is a new, separate vulnerability related to the two flaws Peled reported earlier.
Windows themes files allow users to customize the appearance of their Windows desktop interface via wallpapers, screen savers, colors, and sounds. Both the vulnerabilities that Akamai researcher Peled discovered had to do with the manner in which the themes handled file paths to a couple of image resources, specifically BrandImage or Wallpaper. Peled found that because of improper validation, an attacker could manipulate the legitimate path to these resources in such a way as to get Windows to automatically send an authenticated request, along with the users NTLM hash, to the attackers device.
As Peled explains to Dark Reading, The themes file format is an .ini file, with multiple key,value pairs. I originally found two key,value pairs that could accept file paths, he says.
The original vulnerability (CVE-2024-21320) stemmed from the fact that the key,value pairs accepted UNC paths — a standardized format for identifying network resources like shared files and folders — for network drives, Peled notes. This [meant] that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without them knowing. Microsoft fixed the issue by adding a check on the file path to ensure it wasnt a UNC path. But, Peled says, the function Microsoft used for this validation allowed for some bypasses, which is what led to Peleds discovery of the second vulnerability (CVE-2024-38030).
What ACROS Security reported this week is the third Windows themes spoofing vulnerability rooted in the same file path issue. Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using, says Mitja Kolsek, CEO of ACROS Security. We reported this issue to Microsoft [on] Oct. 28, 2024, but we did not release details or a proof-of-concept, which we plan to do after Microsoft has made their own patch publicly available.
A Microsoft spokesman said via email the company is aware of the ACROS report and will take action as needed to help keep customers protected. The company does not appear to have issued a CVE, or vulnerability identifier, for the new issue yet.
Like the two previous Windows themes spoofing vulnerabilities that Akamai discovered, the new one that ACROS found also does not require an attacker to have any special privileges. But they have to somehow get the user to copy a theme file to some other folder on their computer, then open that folder with Windows Explorer using a view that renders icons, Kolsek says. The file could also be automatically downloaded to their Downloads folder while visiting [an] attackers website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time.
Kolsek recommends that organizations disable NTLM where possible, but acknowledges that doing so could cause functional problems if any network components rely on it. [An] attacker could only successfully target a computer where NTLM is enabled, he says. Another requirement is that a request initiated by a malicious theme file would be able to reach the attackers server on the Internet or in an adjacent network, something that firewalls should typically block, he says. As a result, its more likely than an attacker would try to exploit the flaw in a targeted campaign more so than in a mass exploit.
Akamais Peled says its hard to know what ACROSs vulnerability is about without having access to the technical details. But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching, he says. UNC path formats are very complex and allow for weird combinations, which make detecting them very hard. This might be why its so complex to fix.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Recurring Windows Flaw Could Expose User Credentials