Hackers Can Exploit ‘Forced Authentication’ to Steal Windows NTLM Tokens

Hackers Can Exploit ‘Forced Authentication’ to Steal Windows NTLM Tokens

Cybersecurity researchers have discovered a case of “forced authentication” that could be exploited to leak a Windows user’s NT LAN Manager (NTLM) tokens by tricking a victim into opening a specially crafted Microsoft Access file.

The attack takes advantage of a legitimate feature in the database management system solution that allows users to link to external data sources, such as a remote SQL Server table.

“This feature can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80,” Check Point security researcher Haifei Li said. “The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well.”

NTLM Tokens

The rogue server then receives the challenge, passes it on to the victim as part of the authentication process, and gets a valid response, which is ultimately transmitted to the NTLM server.

While Microsoft has since released mitigations for the problem in the Office/Access version (Current Channel, version 2306, build 16529.20182) following responsible disclosure in January 2023, 0patch has released unofficial fixes for Office 2010, Office 2013, Office 2016, Office 2019, and Office 365.

The development also comes as Microsoft announced plans to discontinue NTLM in Windows 11 in favor of Kerberos for improved security.


Source: https://thehackernews.com/