NTLM Credential Theft Risk in Python Apps Threaten Windows Security
Summary:
Recent research has revealed critical vulnerabilities in several widely-used Python applications for Windows. These vulnerabilities could allow attackers to steal NTLM credentials, which are essential for authenticating users within Windows environments. The flaws are particularly concerning because they expose NTLMv2 hashes, a legacy authentication protocol still commonly used in Windows systems. The vulnerabilities were discovered by Horizon3.ai researchers, who explained that these issues arise from how the affected Python frameworks handle file paths on Windows systems. Specifically, the vulnerabilities can be exploited through techniques like Server-Side Request Forgery and XML External Entities. These attacks can trick the vulnerable applications into making unauthorized requests to malicious servers, leading to the exposure of NTLMv2 hashes.
Security Officer Comments:
The risk is exacerbated in user-run applications, where weaker passwords are often used compared to system accounts. Tools like Responder and ntlmrelayx can further exploit these vulnerabilities by capturing and relaying NTLMv2 hashes, potentially granting attackers access to additional network resources.
Suggested Corrections:
https://hackread.com/ntlm-credential-theft-python-apps-windows-security/
https://www.horizon3.ai/attack-rese...dential-theft-in-python-windows-applications/
Recent research has revealed critical vulnerabilities in several widely-used Python applications for Windows. These vulnerabilities could allow attackers to steal NTLM credentials, which are essential for authenticating users within Windows environments. The flaws are particularly concerning because they expose NTLMv2 hashes, a legacy authentication protocol still commonly used in Windows systems. The vulnerabilities were discovered by Horizon3.ai researchers, who explained that these issues arise from how the affected Python frameworks handle file paths on Windows systems. Specifically, the vulnerabilities can be exploited through techniques like Server-Side Request Forgery and XML External Entities. These attacks can trick the vulnerable applications into making unauthorized requests to malicious servers, leading to the exposure of NTLMv2 hashes.
Security Officer Comments:
The risk is exacerbated in user-run applications, where weaker passwords are often used compared to system accounts. Tools like Responder and ntlmrelayx can further exploit these vulnerabilities by capturing and relaying NTLMv2 hashes, potentially granting attackers access to additional network resources.
Suggested Corrections:
- If you’re running any of the vulnerable applications in this post on Windows, update to the latest version: 4.20+ of Gradio, 2.14.1+ of Jupyter Server, and 1.37.0+ of Streamlit
- Configure your host/network firewalls to block SMB traffic going out to the Internet. This is just good policy to prevent exploitation of forced Windows authentication vulnerabilities in general, such as the Outlook Elevation of Privilege vulnerability CVE-2023-23397 that is on CISA’s list of Known Exploited Vulnerabilities.
- If you have users running Python on Windows, update to the latest version of Python so you don’t have to think about the bug in os.path.isabs affecting Python versions < 3.11.2.
https://hackread.com/ntlm-credential-theft-python-apps-windows-security/
https://www.horizon3.ai/attack-rese...dential-theft-in-python-windows-applications/