Security researcher Metin Yunus Kandemir have released the technical details and a PoC exploit that reveals a critical information disclosure flaw in Microsoft Office. This vulnerability, which affects multiple versions including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise,
The vulnerability tracked as CVE-2024-38200 is an information disclosure in Microsoft Office (multiple versions) that allows attackers to capture sensitive authentication data, such as NTLMv2 hashes, over HTTP and SMB protocols. By tricking the users into clicking a specially crafted link that leads to a malicious document hosted on a compromised or attacker-controlled website. Once the file is opened in vulnerable versions of Office, attackers can capture NTLMv2 hashes, a key element for launching NTLM Relay attacks on domain controllers.
The scenario surfaces as such an attacker hosts or injects a crafted Office file on a compromised website and convinces the victim to download it via email or an instant message. Once the victim interacts with the file, the malicious code can capture NTLMv2 hashes over the network and redirect the HTTP requests to an attacker-controlled server.
The vulnerability bypasses security mechanisms in Microsoft 365 Office and Office 2019. In earlier versions like Office 2016, a security warning protects users from such exploitation. However, in newer versions, attackers can exploit this vulnerability without the user being aware, making it easier for attackers to capture sensitive information.
Researcher exploit method takes advantage of the Office URI Schemes, specifically ms-word commands. The PoC shows how a remote file can be accessed via a URL triggering the vulnerability. By redirecting Office HTTP requests to a UNC path using tools like uncredirect.py, the attacker can bypass security restrictions and capture the NTLMv2 hash, enabling further attacks such as NTLM Relaying.
In the attack chain, NTLMv2 hashes are critical to carrying out an NTLM Relay attack against domain controllers. This attack can be used to authenticate as a legitimate user or gain unauthorized access to network resources. By leveraging Office’s vulnerable URI scheme, attackers can redirect HTTP requests to a controlled UNC path, where a Responder server captures the NTLMv2 hash, bypassing the SMB security restriction.
Microsoft addressed the CVE-2024-38200 flaw in last month patch Tuesday (August 2024) and the vulnerability has since been patched. If a patch cannot be immediately applied Microsoft advises users to take additional steps to mitigate potential exploitation.
Mitigations
- Network Security: Restrict NTLM Policy: Configure the “Restrict NTLM: Outgoing NTLM traffic to remote servers” group policy. Use this setting to block NTLM traffic for Windows 7, Windows Server 2008, and later versions.
- Protected Users Security Group: Add users to the Protected Users security group, which restricts the use of NTLM as an authentication method.
- Block TCP Port 445: Prevent outbound traffic to TCP port 445, a common pathway for NTLM relay attacks.
While these methods are effective, Microsoft warns that legitimate services relying on NTLM authentication could be disrupted by blocking these traffic routes.
