Attackers can steal NTLM password hashes via calendar invites

A recently patched vulnerability in Microsoft Outlook (CVE-2023-35636) that can be used by attackers to steal users’ NTLM v2 hashes can be exploited by adding two headers to an email carrying a specially crafted file, security researcher Dolev Taler has shared on Friday.

He and his colleagues from Varonis Threat Labs have revealed two additional ways attackers can get users’ NTLM v2 hashes and use them for offline brute-force or authentication relay attacks.

While CVE-2023-35636 has been fixed, the other two vulnerabilities are considered by Microsoft to be of “moderate” severity and remain unpatched.

How can attackers (mis)use stolen NTLM v2 hashes?

NTLM v2 – the most current iteration of the NTLM cryptographic protocol – is used by Microsoft Windows to authenticate users to remote servers via password hashes.

Compromised NTLM v2 password hashes can be used in authentication relay attacks or can be brute-forced (offline, on an attacker’s machine) to reveal the hashed password.

In both cases, the threat actor can authenticate as the user and access sensitive enterprise systems and resources.

“In authentication relay attacks, NTLM v2 authentication requests by the user are intercepted, forwarded to a different server. The victim’s machine will then send the authentication response to the attacker’s server, and the attacker can use that information to authenticate to the victim’s intended server,” Taler explained.

Three ways to grab NTLM v2 hashes

Varonis researchers have discovered that NTLM v2 hashes can be smuggled out:

• By exploiting vulnerabilities in Microsoft Outlook
• By using URI handlers (i.e., protocol handlers) and WPA (Windows Performance Analyzer, a tool used by software developers), and
• By using Windows File Explorer

They shared PoC exploits for all three attack paths, and noted that in all three attack scenarios the victim just needs to click once or twice on a link or button.

The Outlook vulnerability, in particular, is easy to exploit by taking advantage of the software’s ability to share calendars between users.

“An attacker crafts an email invite to the victim, pointing the ‘.ICS’ file path to the attacker-controlled machine. By ‘listening’ to a self-controlled path (domain, IP, folder path, UNC, etc.), the threat actor can obtain connection attempts packets that contain the hash used to attempt to access this resource,” Taler pointed out.

“If the victim clicks on the ‘Open this iCal’ button inside the message, their machine will attempt to retrieve the configuration file on the attacker’s machine, exposing the victim’s NTLM hash during authentication.”

How to keep NTLM v2 hashes out of attackers’ hands

As noted earlier, the Outlook vulnerability has been fixed by Microsoft in December 2023, but the remaining two are still present.

“Unpatched systems remain vulnerable to threat actors attempting to steal hashed passwords with these methods,” Taler said.

Microsoft has recently spelled out its ongoing effort to reduce the use of NTLM and plan to disable it altogether in Windows 11.

In the meantime, there are several ways organizations can protect themselves against NTLM v2 attacks, Taler added: by switching on SMB signing (if it’s not switched on already, by dafault), by blocking outgoing NTLM v2 authentication, and by forcing Kerberos authentication whenever possible and blocking NTLM v2 on both the network and applicative levels.