Cybersecurity researchers have found a case of “compelled authentication” that might be exploited to leak a Home windows consumer’s NT LAN Supervisor (NTLM) tokens by tricking a sufferer into opening a specifically crafted Microsoft Entry file.
The assault takes benefit of a respectable characteristic within the database administration system resolution that permits customers to hyperlink to exterior knowledge sources, resembling a distant SQL Server desk.
“This characteristic might be abused by attackers to routinely leak the Home windows consumer’s NTLM tokens to any attacker-controlled server, by way of any TCP port, resembling port 80,” Verify Level security researcher Haifei Li mentioned. “The assault might be launched so long as the sufferer opens an .accdb or .mdb file. In reality, any more-common Workplace file sort (resembling a .rtf ) can work as properly.”
NTLM, an authentication protocol launched by Microsoft in 1993, is a challenge-response protocol that is used to authenticate customers throughout sign-in. Over time, it has been discovered to be susceptible to brute-force, pass-the-hash, and relay assaults.
The newest assault, in a nutshell, abuses the linked desk characteristic in Entry to leak the NTLM hashes to an actor-controlled server by embedding an .accdb file with a distant SQL Server database hyperlink within an MS Phrase doc utilizing a mechanism referred to as Object Linking and Embedding (OLE).
“An attacker can arrange a server that they management, listening on port 80, and put its IP tackle within the above ‘server alias’ subject,” Li defined. “Then they’ll ship the database file, together with the linked desk, to the sufferer.”
Ought to the sufferer open the file and click on the linked desk, the sufferer consumer contacts the attacker-controlled server for authentication, enabling the latter to drag off a relay assault by launching an authentication course of with a focused NTLM server in the identical group.
The rogue server then receives the problem, passes it on to the sufferer, and will get a sound response, which is in the end transmitted to the sender that challenges the CV as a part of the attacker-controlled CV↔ SA authentication course of receives legitimate response after which passes that response to the NTLM server.
Whereas Microsoft has since launched mitigations for the issue within the Workplace/Entry model (Present Channel, model 2306, construct 16529.20182) following accountable disclosure in January 2023, 0patch has launched unofficial fixes for Workplace 2010, Workplace 2013, Workplace 2016, Workplace 2019, and Workplace 365.
The event additionally comes as Microsoft introduced plans to discontinue NTLM in Home windows 11 in favor of Kerberos for improved security.