Naveen Sunkavally, chief architect at Horizon3.ai, has just published new research called: “NTLM Credential Theft in Python Windows Applications.”
“NTLMv2 hash theft is a well-known credential harvesting technique made possible by the insistence of Windows to automatically authenticate to anything it possibly can. It’s a staple technique used in internal pentests with tools such as responder or ntlmrelayx, exploiting issues such as legacy LLMNR/NBT-NS protocols being enabled or forced authentication vulnerabilities like PetitPotam. It has also been exploited over the Internet, typically by abusing Microsoft Outlook, as described in recent cases by Proofpoint and Microsoft,” Naveen said.
When auditing web applications, NTLMv2 hash theft is possible on Windows hosts through the exploitation of Server-Side Request Forgery (SSRF) or XML External Entities (XXE) vulnerabilities. Much has been written on the topic, and new vulnerabilities continue to be found.
Naveen details new SSRF vulnerabilities leading to NTLMv2 hash disclosure in three of the most popular Python frameworks:
- Gradio by Hugging Face, which powers several popular AI tools;
- Jupyter Server, which underpins Jupyter Notebook and JupyterLab; and
- Streamlit from Snowflake
The vulnerabilities Naveen exposes relate to how these Python frameworks retrieve files. Specifically, in Python, any file system operation performed on insufficiently validated input can lead to the leakage of NTLMv2 hashes. The vulnerabilities disclosed in the post can be exploited by unauthenticated attackers, and they have come up in real-world pentests conducted by NodeZero. He also covers an interesting Python bug affecting older versions of Python on Windows that could assist in NTLMv2 hash theft.
The post also recommends fix actions. Naveen concludes: “Windows is the predominant operating system in enterprises, and Python is the language of choice for AI. With AI making a big splash into the mainstream over the last few years, we’re seeing increased usage of Python applications on Windows. This comes with new risk because traditionally Python apps have been developed and run on Linux-based systems, where the security risks are different than on Windows. We believe the specific issue of NTLMv2 hash theft in Python apps is likely heavily under-reported, and something that all parties –defenders, developers, appsec practitioners, bug bounty hunters, etc. — should be on the lookout for.”
NTLM Credential Theft in Python Windows Applications: https://www.horizon3.ai/attack-research/disclosures/ntlm-credential-theft-in-python-windows-applications/
Related
This entry was posted on August 23, 2024 at 12:52 pm and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Horizon3.ai Publishes New Findings Related To NTLM Credential Theft in Python Windows Apps
Naveen Sunkavally, chief architect at Horizon3.ai, has just published new research called: “NTLM Credential Theft in Python Windows Applications.”
“NTLMv2 hash theft is a well-known credential harvesting technique made possible by the insistence of Windows to automatically authenticate to anything it possibly can. It’s a staple technique used in internal pentests with tools such as responder or ntlmrelayx, exploiting issues such as legacy LLMNR/NBT-NS protocols being enabled or forced authentication vulnerabilities like PetitPotam. It has also been exploited over the Internet, typically by abusing Microsoft Outlook, as described in recent cases by Proofpoint and Microsoft,” Naveen said.
When auditing web applications, NTLMv2 hash theft is possible on Windows hosts through the exploitation of Server-Side Request Forgery (SSRF) or XML External Entities (XXE) vulnerabilities. Much has been written on the topic, and new vulnerabilities continue to be found.
Naveen details new SSRF vulnerabilities leading to NTLMv2 hash disclosure in three of the most popular Python frameworks:
The vulnerabilities Naveen exposes relate to how these Python frameworks retrieve files. Specifically, in Python, any file system operation performed on insufficiently validated input can lead to the leakage of NTLMv2 hashes. The vulnerabilities disclosed in the post can be exploited by unauthenticated attackers, and they have come up in real-world pentests conducted by NodeZero. He also covers an interesting Python bug affecting older versions of Python on Windows that could assist in NTLMv2 hash theft.
The post also recommends fix actions. Naveen concludes: “Windows is the predominant operating system in enterprises, and Python is the language of choice for AI. With AI making a big splash into the mainstream over the last few years, we’re seeing increased usage of Python applications on Windows. This comes with new risk because traditionally Python apps have been developed and run on Linux-based systems, where the security risks are different than on Windows. We believe the specific issue of NTLMv2 hash theft in Python apps is likely heavily under-reported, and something that all parties –defenders, developers, appsec practitioners, bug bounty hunters, etc. — should be on the lookout for.”
NTLM Credential Theft in Python Windows Applications: https://www.horizon3.ai/attack-research/disclosures/ntlm-credential-theft-in-python-windows-applications/
Share this:
Like this:
Related
This entry was posted on August 23, 2024 at 12:52 pm and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.