A brand new zero-day vulnerability has been found that enables attackers to seize NTLM credentials by merely tricking the goal into viewing a malicious file in Home windows Explorer.
The flaw was found by the 0patch workforce, a platform that gives unofficial assist for end-of-life Home windows variations, and was reported to Microsoft. Nevertheless, no official repair has been launched but.
In keeping with 0patch, the problem, which at present has no CVE ID, impacts all Home windows variations from Home windows 7 and Server 2008 R2 as much as the most recent Home windows 11 24H2 and Server 2022.
A clickless exploit
0patch has withheld the technical particulars of the zero-day vulnerability till Microsoft supplies an official repair to forestall fueling lively exploitation within the wild.
The researchers defined that the assault works by merely viewing a specifically crafted malicious file in File Explorer, so opening the file is not required.
“The vulnerability allows an attacker to obtain [the] user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” explains 0patch.
Whereas 0Patch is just not sharing additional particulars concerning the vulnerability, BleepingComputer understands that it forces an outbound NTLM connection to a distant share. This causes Home windows to robotically ship NTLM hashes for the logged-in person, which the attacker can then steal.
As demonstrated repeatedly, these hashes will be cracked, permitting menace actors to realize entry to login names and plaintext passwords. Microsoft introduced a 12 months in the past its plans to kill off the NTLM authentication protocol in Home windows 11 sooner or later.
0patch notes that that is the third zero-day vulnerability they lately reported to Microsoft that the seller has not taken instant motion to deal with.
The opposite two are the Mark of the Net (MotW) bypass on Home windows Server 2012, made recognized late final month, and a Home windows Themes vulnerability permitting distant NTLM credentials theft, disclosed in late October. Each points stay unfixed.
0patch says that different NTLM hash disclosure flaws disclosed up to now, like PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, all stay with out an official repair on the newest Home windows variations, leaving customers with solely the 0patch-provided micropatches.
Free micropatch out there
0patch will likely be providing a free micropatch for the most recent NTLM zero-day to all customers registered on its platform till Microsoft supplies an official repair.
PRO and Enterprise accounts have already obtained the safety micropatch robotically until their configuration explicitly prevents this.
To obtain this unofficial patch, create a free account on the 0patch Central, begin a free trial, after which set up the agent and permit it to use the suitable micropatches robotically. No reboot is required.
Customers who don’t need to apply the unofficial patch supplied by 0patch might contemplate turning off NTLM authentication with a Group Coverage on ‘Safety Settings > Native Insurance policies > Safety Choices’, and configuring the “Network security: Restrict NTLM” insurance policies. The identical will be achieved by registry modifications.
BleepingComputer has contacted Microsoft asking concerning the flaw and its plans to deal with it, however we’re nonetheless ready for a response.
