Unveiling the Vulnerability: Understanding the Threat of ‘Forced Authentication’ in Windows NTLM Tokens

0 0
Read Time:2 Minute, 6 Second

Cybersecurity experts have identified an instance of ‘forced authentication,’ a potential threat that could be manipulated to expose a Windows user’s NT LAN Manager (NTLM) tokens. This exploit involves deceiving a victim into opening a specifically crafted Microsoft Access file.

The assault capitalizes on a valid functionality within the database management system solution, enabling users to establish connections with external data sources, such as a remote SQL Server table.

“This feature can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80,” Check Point security researcher Haifei Li said. “The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well.”

Microsoft introduced NTLM, an authentication protocol, in 1993. It operates as a challenge-response protocol for user authentication during sign-in. However, over the years, NTLM has been identified as susceptible to various attacks, including brute-force, pass-the-hash, and relay attacks.

In this recent exploit, the attacker takes advantage of the linked table feature in Access to compromise NTLM hashes. This is achieved by embedding an .accdb file with a remote SQL Server database link inside an MS Word document, utilizing Object Linking and Embedding (OLE) as the mechanism.

“An attacker can set up a server that they control, listening on port 80, and put its IP address in the above ‘server alias’ field,” Li explained. “Then they can send the database file, including the linked table, to the victim.”

If the recipient opens the file and interacts with the linked table, the client contacts a server controlled by the attacker for authentication. This allows the attacker to execute a relay attack, initiating an authentication process with a targeted NTLM server within the same organization.

The malicious server then receives the challenge, relays it to the victim, obtains a valid response, and forwards this response to the entity challenging the CV as part of the attacker-controlled CV↔ SA authentication process. The validated response is then sent to the NTLM server.

Microsoft has addressed this issue in the Office/Access version (Current Channel, version 2306, build 16529.20182) after responsible disclosure in January 2023. Additionally, 0patch has released unofficial fixes for Office 2010, Office 2013, Office 2016, Office 2019, and Office 365.

This development coincides with Microsoft’s announcement to phase out NTLM in Windows 11, opting for Kerberos to enhance security.

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published. Required fields are marked *