New Windows zero-day exposes NTLM credentials, gets unofficial patch

A new zero-day vulnerability has been discovered that allows attackers to capture NTLM credentials by simply tricking the target into viewing a malicious file in Windows Explorer.

The flaw was discovered by the 0patch team, a platform that provides unofficial support for end-of-life Windows versions, and was reported to Microsoft. However, no official fix has been released yet.

According to 0patch, the issue, which currently has no CVE ID, impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

A clickless exploit

0patch has withheld the technical details of the zero-day vulnerability until Microsoft provides an official fix to prevent fueling active exploitation in the wild.

The researchers explained that the attack works by simply viewing a specially crafted malicious file in File Explorer, so opening the file isn't required.

"The vulnerability allows an attacker to obtain [the] user's NTLM credentials by simply having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page," explains 0patch.

While 0Patch is not sharing further details about the vulnerability, BleepingcComputer understands that it forces an outbound NTLM connection to a remote share. This causes Windows to automatically send NTLM hashes for the logged-in user, which the attacker can then steal.

As demonstrated repeatedly, these hashes can be cracked, allowing threat actors to gain access to login names and plaintext passwords. Microsoft announced a year ago its plans to kill off the NTLM authentication protocol in Windows 11 in the future.

0patch notes that this is the third zero-day vulnerability they recently reported to Microsoft that the vendor has not taken immediate action to address.

The other two are the Mark of the Web (MotW) bypass on Windows Server 2012, made known late last month, and a Windows Themes vulnerability allowing remote NTLM credentials theft, disclosed in late October. Both issues remain unfixed.

0patch says that other NTLM hash disclosure flaws disclosed in the past, like PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, all remain without an official fix at the latest Windows versions, leaving users with only the 0patch-provided micropatches.

Micropatch availability

0patch will be providing its micropatch for the latest zero-day it discovered for free to all users registered on its platform until an official fix from Microsoft becomes available.

PRO and Enterprise accounts have already received the security micropatch automatically unless their configuration explicitly prevents this.

To receive the patch, create a free account on the 0patch Central, start a free trial, and then install the agent and allow it to apply the appropriate micropatches automatically. No reboot is required. 

Users who do not want to apply the unofficial patch provided by 0patch may consider turning off NTLM authentication with a Group Policy on 'Security Settings > Local Policies > Security Options', and configuring the "Network security: Restrict NTLM" policies. The same can be achieved through registry modifications.

BleepingComputer has contacted Microsoft asking about the flaw and its plans to address it, but we are still waiting for a response.