Data security firm Varonis has disclosed a new vulnerability and three attack methods for obtaining NTLM v2 hashes by targeting Microsoft Outlook and two Windows programs.
The new vulnerability is tracked as CVE-2023-35636. It has been assigned an ‘important’ severity rating by Microsoft, which fixed it with its December 2023 Patch Tuesday updates. The remaining issues have been assigned a ‘moderate’ severity rating and currently remain unpatched, Varonis said.
NTLM v2 is a protocol used to authenticate users to remote servers. An NTLM v2 hash of a user’s password can be valuable for malicious actors as they could either launch a brute-force attack and obtain the plaintext password, or they could use the hash directly for authentication.
Varonis showed that an attacker could exploit CVE-2023-35636 to obtain NTLM hashes by sending a specially crafted email to the targeted Outlook user.
The vulnerability leverages a calendar sharing function in Outlook. The attacker needs to send an email containing two specially crafted headers: one informs Outlook that the message contains sharing content and the other points the victim’s Outlook session to a server controlled by the attacker.
If the victim clicks on ‘Open this iCal’ in the malicious message, their device attempts to obtain the configuration file from the attacker’s server, with the NTLM hash getting exposed during the authentication process.
Another way of obtaining the NTLM v2 hash is by abusing the Windows Performance Analyzer (WPA) tool, which is often used by developers. Varonis researchers discovered that a special URI handler is used to process WPA-related links, but it attempts to authenticate using NTLM v2 over the open internet, which exposes the NTLM hash.
This method involves sending an email that contains a link designed to redirect the victim to a malicious WPA payload on a site controlled by the attacker.
The remaining two attack methods uncovered by Varonis involve abuse of the Windows File Explorer. Unlike WPA, which is mainly found on the machines of software developers, File Explorer is present on every Windows computer.
There are two variations of the File Explorer attack, both involving the attacker sending a malicious link to the targeted user via email, social media or other channels.
“Once the victim clicks the link, the attacker can obtain the hash and then try to crack the user’s password offline,” Varonis explained. “Once the hash has been cracked and the password obtained, an attacker can use it to log on to the organization as the user. With this payload, the explorer.exe will try to query for files with the .search-ms extension.”
Related: Russian APT Used Zero-Click Outlook Exploit
Related: Microsoft Patches Another Already-Exploited Windows Zero-Day