MS-Office URI Handlers
tl;dr
By?leveraging?Microsoft Office URI (Uniform Resource Identifier) handlers, it was possible to obtain a Net-NTLM-v2?(New Technology LAN Manager)?hash from a victim after they?clicked?a single link?in an email. This was patched by Microsoft in the August 2024 Patch Tuesday and?CVE-2024-38200 was issued.?
Introduction
This is part three of a five-part blog post series focusing on NTLM-related research that was presented as part of the DEF CON 32 presentation 'NTLM?-?the?last ride'. After hearing the news that Microsoft is planning to kill off NTLM (New Technology Lan Manager) authentication in Windows 11 and above, we decided to speedrun coercing hashes out of a few more things before it fades into obscurity over the next twenty-five years or so.? For more detail about what NTLM is, what you can do with them, and why being able to get them out of things is bad, please see our first blog post in this series.
URI Handlers
URI (Uniform Resource Identifier) schemes are small strings that?identify?a source?of data or something for a program to load. Well known URIs?include?schemes such as file://, https://, https://, which when clicked, load the program associated with the URI scheme. In the case of http or https, the operating system will know to load the browser?and fetch the content at the provided URL, and in the case of the file:// URI scheme, the file explorer or similar may be loaded.?
The following?Powershell?(Administrator) one liner can be used to list all the installed handlers on Windows:?
Get-ChildItem -Path Registry::HKEY_CLASSES_ROOT | where Property -CContains "URL Protocol" | % { $_.ToString().Split('\')[1] }
When Microsoft Office is installed on?a?Windows computer, several registry entries are made that?associate the Office URI schemes to an associated program:?
An example URI scheme for MS Office may take the following form:?ms-excel:ofv|u|https://your-server.com/test.xlsx In?this?case ofv stands for Open?for?Viewing, and the u specifies the URL of the resource to fetch. Clicking a hyperlink or anchor tag with this URI handler?from within a browser will prompt the following dialog box:?
As with previous testing, we found that Microsoft would frequently provide a warning dialog, if you were about to do something fun and/or dangerous.
领英推荐
In the case of the URI handlers, within a browser, there would be a prompt asking if you would like to open the selected Office program. This is expected behaviour, as the security boundary shifts from the browser to the program that is associated with the URI scheme. In the case of Microsoft Office products, this means that macros will not be loaded, and neither will external resources. These are security protections designed to prevent malicious exploits from happening within these programs.
However, after enumerating and testing various URI handler interactions within Outlook, it was found that by emailing a hyperlink with an office URI handler, there would be no dialog prompt.
The URI handler would immediately open whichever Office program was specified and attempt to fetch the resource at the specified URL. As with previous HTTP interactions, no Net-NTLMv2 authentication would take place.?
By applying a 302 redirect (as with the CVE-2023-35636 bypass) it was possible to redirect from port 80 (HTTP) to port 445 (SMB) and capture the Net-NTLMv2 hash.
Again, a small Python script (as in the previous blog) was used to perform the redirection.
These network interactions would happen before any document was loaded, bypassing the intended security controls in both the browser and the Office program.The below video shows the flow:
These are the steps that take place in the video:
Disclosure timeline:?
Author: Jim Rush