1. Microsoft Access (part of the Office suite) has a “linking to remote SQL Server tables” feature.
    Microsoft Access(Office 套件的一部分)具有“链接到远程 SQL Server 表”功能。
  2. This feature can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80.
    攻击者可滥用此功能,通过任何 TCP 端口(如端口 80)自动将 Windows 用户的 NTLM 令牌泄漏到任何攻击者控制的服务器。
  3. The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well
    只要受害者打开一个. accdb 或。 mdb 文件。事实上,任何更常见的 Office 文件类型(如 . rtf )也可以工作
  4. This technique allows the attacker to bypass existing Firewall rules designed to block NTLM information stealing initiated by external attacks.
    此技术允许攻击者绕过旨在阻止由外部攻击发起的 NTLM 信息窃取的现有防火墙规则。

What is NTLM? What common attacks exist against it?
什么是 NTLM?针对它的常见攻击有哪些?

NTLM is an extremely deprecated authentication protocol introduced by Microsoft in 1993. It is a challenge-response protocol: the server keeps a secret called an “NTLM hash” derived from the user’s password, then every time that user wants to log in, the server issues a randomized “challenge” and the user consults the password to compute the correct response. By “extremely deprecated”, we mean that someone presented a talk titled “Nail the Coffin Shut: NTLM Is Dead” at Defcon 16, back in 2008.
NTLM 是 Microsoft 于 1993 年推出的一种非常弃用的身份验证协议。它是一种质询-响应协议:服务器保留一个称为“NTLM 哈希”的秘密,该密钥源自用户的密码,然后每次该用户想要登录时,服务器都会发出一个随机的“质询”,用户查阅密码以计算正确的响应。“极度弃用”是指有人在 2008 年的 Defcon 16 上发表了题为“Nail the Coffin Shut: NTLM Is Dead”的演讲。

Below are the three most well-known attacks against NTLM.
以下是针对 NTLM 的三种最知名的攻击。

  • brute-force attack uses inherent weaknesses in the NTLM hash function specification to recover the original password from the NTLM hash stored on the server.
    暴力攻击利用 NTLM 哈希函数规范中的固有弱点从服务器上存储的 NTLM 哈希中恢复原始密码。
  • pass-the-hash attack abuses the fact that the NTLM hash itself is enough to correctly answer challenges[1], making the fact that a hash is used instead of the plain password substantially meaningless.
  • relay attack is what’s classically known as a “Man in the Middle” attack, where an attacker intercepts a handshake transaction, posing as the client when talking to the server and vice-versa — inconspicuously passing their messages on to one another until the crucial moment where the session is authenticated, at which point the attacker cuts the legitimate client out and carries on the conversation in their stead.

The art of designing a protocol to resist these attacks is well-understood, so much so that some of the mitigations appear in Kerberos, an authentication protocol developed at MIT a full five years before NTLM saw the light of day.
设计一种协议来抵御这些攻击的艺术是众所周知的,以至于一些缓解措施出现在 Kerberos 中,Kerberos 是麻省理工学院开发的一种身份验证协议,比 NTLM 出现早了整整五年。

Thankfully, a simple and effective stop-gap measure exists for anyone keen to keep their NTLM server: simply blocking all organization outbound traffic through the ports used by the NTLM protocol (139 and 445) will render the above-mentioned attacks much more difficult to execute, and, on the face of it, impossible to use for gaining initial access to a network. Such an attacking technique, initiated by external attacks, is called “Forced Authentication”, in fact, there’s an ATT&CK page explaining this type of attack.
值得庆幸的是,对于任何热衷于保留其 NTLM 服务器的人来说,都存在一种简单而有效的权宜之计:简单地阻止通过 NTLM 协议(139 和 445)使用的端口的所有组织出站流量将使上述攻击更难执行,并且从表面上看,无法用于获得对网络的初始访问。这种由外部攻击发起的攻击技术被称为“强制身份验证”,事实上,有一个 ATT&CK 页面解释了这种类型的攻击。

Alas, it is a law of nature that stop-gap measures invite workarounds. In this blog post, we present a novel method that allows bypassing these port-blocking mitigations, and targeting internal users with NTLM attacks directly. This method works by abusing a feature in the MS-Access application called “Access Link Tables”.
唉,权宜之计会带来变通办法,这是自然法则。在这篇博文中,我们介绍了一种新方法,该方法可以绕过这些端口阻塞缓解措施,并直接针对内部用户进行 NTLM 攻击。此方法通过滥用 MS-Access 应用程序中称为“访问链接表”的功能来工作。

  • The terminology can get somewhat muddied because the client response is also sometimes colloquially called a “hash” or a “hashed password”.

Linked Tables in MS-Access
MS-Access 中的链接表

Before we get to how an attacker might abuse this feature, we’ll first explain how the feature works normally, when used for legitimate purposes. With linked tables, users can connect to an external database, such as a remote Microsoft SQL server (the advantages of such a feature should be self-evident; having every user keep a copy of a database on their local machine is not a great solution a lot of the time, and definitely not at scale). To activate the feature, a user can click the “ODBC Database” button under the “External Data” tab, as shown below. We use Office 2010 as an example, but this applies to all versions of Office equally.
在讨论攻击者如何滥用此功能之前,我们将首先解释该功能在用于合法目的时如何正常工作。使用链接表,用户可以连接到外部数据库,例如远程 Microsoft SQL Server(这种功能的优点应该是不言而喻的;让每个用户在其本地计算机上保留数据库的副本在很多时候并不是一个很好的解决方案,而且绝对不是大规模的)。要激活该功能,用户可以单击“外部数据”选项卡下的“ODBC 数据库”按钮,如下所示。我们以 Office 2010 为例,但这同样适用于所有版本的 Office。

Figure 1: Clicking the “ODBC Database” button starts a wizard that connects to a remoter SQL Server on Microsoft Access 2010
图 1:单击“ODBC 数据库”按钮将启动一个向导,该向导连接到 Microsoft Access 2010 上的远程 SQL Server

MS-Access suggests an alternative  a one-time download of the remote table, with the result being treated as a local table from then on. To actually use the linking feature and sync with a remote database, the user picks the other option: “Link to the data source by creating a linked table”.

Figure 2: MS-Access lets the user pick between creating a local copy of a remote database and a full
图 2:MS-Accessletstheuserpickbetweencreatingalocalcopyofaremotedatabaseandfull

remote link. 远程链接。

The user then selects “SQL Server” as the ODBC source in a dialogue box.
然后,用户在对话框中选择“SQL Server”作为 ODBC 源。

Figure 3: The dialogue box for choosing the type of ODBC source.
图 3:用于选择 ODBC 源类型的对话框。

At this point a user would need to choose a method for authenticating with the remote server, see the following figure.

Figure 4: The dialogue box for choosing the SQL Server authentication method
图 4:用于选择 SQL Server 身份验证方法的对话框

A typical user would choose according to the authentication methods supported by the server, company security policy, and what they personally find convenient; for educational purposes, let’s assume the user picks the option where their own Windows ID credentials are used for authentication. Also, a typical user would probably leave the port of the remote server as its default value (1433), but, again for educational purposes, let’s assume for a minute that the user picks something unorthodox, like port 80.
典型的用户会根据服务器支持的身份验证方法、公司安全策略以及他们个人认为方便的内容进行选择;出于教育目的,假设用户选择使用自己的 Windows ID 凭据进行身份验证的选项。此外,典型的用户可能会将远程服务器的端口保留为其默认值 (1433),但是,同样出于教育目的,让我们假设用户选择了一些非正统的东西,例如端口 80。
After all, nothing prevents a SQL server from listening on port 80; a legitimate org’s SQL server probably won’t do that, but if someone does, the internet police will not magically descend from the skies to arrest them (though see our later note about firewalls).
毕竟,没有什么能阻止 SQL Server 侦听端口 80;一个合法的组织的SQL服务器可能不会这样做,但如果有人这样做,互联网警察不会神奇地从天而降逮捕他们(尽管请参阅我们后面关于防火墙的说明)。

Figure 5: The dialogue box for choosing the server’s IP address, port and protocol
图 5:用于选择服务器的 IP 地址、端口和协议的对话框

Assuming authentication with the remote SQL server is successful and the chosen table exists, a new entry will now be available in the client’s “tables” list representing the linked table. When the user clicks this entry, a connection is made to this remote database, and the MS-Access client attempts to authenticate with the SQL server using the user’s Windows credentials.
假设远程 SQL Server 的身份验证成功且所选表存在,则客户端的“表”列表中现在将有一个新条目,表示链接表。当用户单击此项时,将建立与此远程数据库的连接,并且 MS-Access 客户端尝试使用用户的 Windows 凭据向 SQL Server 进行身份验证。

Figure 6: The linked table as it appears in MS-Access’s “tables” list
图 6:MS-Access 的“表”列表中显示的链接表

Abusing Linked Tables 滥用链接表

What gap is left before the feature can be weaponized and turned into an NTLM relay attack? Not a large one. An attacker can set up a server that they control, listening on port 80, and put its IP address in the above “server alias” field. Then they can send the database file, including the linked table, to the victim. If (If!) the victim opens the file and clicks the table, the victim client CV
在将该功能武器化并变成 NTLM 中继攻击之前,还剩下什么差距?不大。攻击者可以设置他们控制的服务器,侦听端口 80,并将其 IP 地址放在上面的“服务器别名”字段中。然后,他们可以将数据库文件(包括链接表)发送给受害者。如果 (If!) 受害者打开文件并单击表格,则受害者客户端 C V
will contact the attacker-controlled server SA and attempt to authenticate. SA is then in prime position to execute the attack — it can immediately start an authentication process with a targeted NTLM server ST in the same organization, receive a challenge, send that challenge to CV as part of the attacker-controlled CV↔ SA authentication process, receive a valid response and then pass that response on to the SA successful authentication with ST .[2]
将联系攻击者控制的服务器 S A 并尝试进行身份验证。然后,S 处于执行攻击的首要位置 — 它可以立即使用同一组织中的目标 NTLM 服务器 S 启动身份验证过程,接收质询,将该质询作为攻击者控制的 C S 身份验证过程的一部分发送给 C V V ↔,接收有效响应,然后将该响应传递给 S A A T 使用 S A T 成功进行身份验证。[2]

[2] To be pedantic, authentication is done using NTLMSSP wrapped in TDS.
[2] 为了迂腐起见,身份验证是使用 TDS 中包装的 NTLMSSP 完成的。

That is a big if. Getting the victim to both open the file and click the database is no small matter. Now as to the “clicking the database” part, technically MS-Access has macro support — so an attacker could in theory create a macro that opens the linked table automatically and set it up to execute automatically on file open (this is done by naming
这是一个很大的假设。让受害者打开文件并单击数据库并非易事。现在关于“单击数据库”部分,从技术上讲,MS-Access 具有宏支持——因此理论上攻击者可以创建一个自动打开链接表的宏,并将其设置为在文件打开时自动执行(这是通过命名

the macro   AutoExec.). Of course, this is a dead end, because the user would then be prompted to enable macros, and just last year Microsoft introduced a new security feature for exactly this situation, which —
宏 AutoExec.)。当然,这是一个死胡同,因为随后会提示用户启用宏,而就在去年,Microsoft 为这种情况引入了一项新的安全功能,即 —

Actually, no. That feature doesn’t apply to simple MS-Access macros. These are different from full-blown VBA, weaker in their capabilities, and are treated with less caution. Even the provably ine fectual “protected view” feature from 2010, the one with the meek yellow ribbon that says the document “might be unsafe” and prompts the user to “enable macros”, doesn’t pop up when one of these simple Access macro auto- executes. So what, someone will trick you into trying to view a database on the internet or something; what’s the worst that’s going to happen?
其实不然。该功能不适用于简单的 MS-Access 宏。这些与成熟的 VBA 不同,它们的功能较弱,并且处理得不那么谨慎。即使是 2010 年可证明的“受保护的视图”功能,即带有温顺黄丝带的那个,上面写着文档“可能不安全”并提示用户“启用宏”,当这些简单的 Access 宏之一自动执行时,也不会弹出。那又怎样,有人会诱骗你尝试在互联网上查看数据库或其他东西;最坏的情况是什么?

Figure 7: Adding a Microsoft Access Macro that opens the linked table and saving it as “AutoExec” to execute on file open.
图 7:添加一个 Microsoft Access 宏,用于打开链接表并将其另存为“AutoExec”以在文件打开时执行。

OLÉ, OLÉ, OLÉ 奥莱,奥莱,奥莱

Microsoft Access is registered as an “OLE linking” server on Windows. This means it allows other applications to request that it handle and process objects (more details are available in the MS docs here). For example, one might embed an image in a Word document, and when the document is opened, MS-Paint will handle the image and send information back allowing MS-Word to display the image inline.
Microsoft Access 在 Windows 上注册为“OLE 链接”服务器。这意味着它允许其他应用程序请求它处理和处理对象(更多详细信息可在 MS 文档中找到 此处).例如,可以在 Word 文档中嵌入图像,当文档打开时,MS-Paint 将处理图像并发送回信息,从而允许 MS-Word 内联显示图像。

In the same way, it is possible to link to an   .accdb  file inside of an MS-word document as an OLE object that will be downloaded automatically (also via port 80/tcp) and then handled by MS-Access. Something as simple as the following string will trigger this behavior:
同样,可以将 MS-Word 文档中的 .accdb 文件作为 OLE 对象链接到该文件,该对象将自动下载(也通过端口 80/tcp),然后由 MS-Access 处理。像以下字符串这样简单的东西将触发此行为:


As a summery, the whole attack chain looks like the following:

Figure 8: Abusing link table
图 8:滥用链接表

Demo 演示

With the aid of this Thinkst blog post we were able to set up a proof-of-concept environment showcasing this attack; a particular help was disabling the encryption in the server’s first response packet (PRE-LOGIN message response), which made our work much easier as we didn’t need to deal with the TDS TLS encryption.
借助这篇 Thinkst 博客文章,我们能够建立一个概念验证环境来展示这种攻击;一个特别的帮助是禁用服务器的第一个响应数据包(PRE-LOGIN 消息响应)中的加密,这使我们的工作变得更加容易,因为我们不需要处理 TDS TLS 加密。

Following is a redacted image of the transaction between the mock victim and our fake SQL server. The victim is within a typical port-blocking environment (blocking outgoing 139/tcp and 445/tcp traffic but allowing 80/tcp), while the attacker-controlled server is in a public cloud. The victim leaks the local net-NTLMv2 hash while attempting to authenticate with the server on port 80.
以下是模拟受害者和我们的假 SQL 服务器之间交易的编辑图像。受害者处于典型的端口阻塞环境中(阻止传出的 139/tcp 和 445/tcp 流量,但允许 80/tcp),而攻击者控制的服务器位于公共云中。受害者在尝试在端口 80 上向服务器进行身份验证时泄露了本地 net-NTLMv2 哈希值。

Figure 9: Traffic capture (PCAP) showing a successful attack that gets the victim to leak the local NTLM hash via port 80.
图 9:流量捕获 (PCAP) 显示了一次成功的攻击,该攻击使受害者通过端口 80 泄漏本地 NTLM 哈希值。

Defense and Mitigation 防御和缓解

We have successfully reproduced the attack on all available default Windows + Office environments, including the latest Windows 10/11 + Office 2021 environment.
我们已成功在所有可用的默认 Windows + Office 环境(包括最新的 Windows 10/11 + Office 2021 环境)上重现了攻击。

For users who’re concerned about this attacking method, we recommended:

  • Check Point has released an IPS signature named “Microsoft Windows NTLM Information Disclosure” to protect our customers. If you’re one of our IPS customers, you should be immune to this type of attack.
    Check Point 发布了一个名为“Microsoft Windows NTLM 信息泄露”的 IPS 签名,以保护我们的客户。如果您是我们的 IPS 客户之一,您应该不会受到此类攻击。
  • Check Point customers are further protected and Microsoft Access files (.accdb) containing objects leading to NTLM leakage will be detected as Trojan.Wins.LinkedTable.A or Trojan.Wins.LinkedTable.B.
    Check Point 客户受到进一步保护,包含导致 NTLM 泄漏的对象的 Microsoft Access 文件 (.accdb) 将被检测为 Trojan.Wins.LinkedTable.A 或 Trojan.Wins.LinkedTable.B。
  • A “content aware” firewall may help, a one that doesn’t just check the destination port but also performs packet inspection.
  • You may consider disabling macros in MS-Access, or removing it from your system altogether if it is not essential to your Office suite install.
    您可以考虑在 MS-Access 中禁用宏,或者如果它对您的 Office 套件安装不是必需的,则可以将其从系统中完全删除。
  • And, of course, for the forty thousandth time, don’t open attachments from unsolicited sources.

Check Point Research has worked with MSRC on this issue since early January, 2023. Since January, we were busy on developing and delivering various protections for our customers against this attacking technique. The rest of the blog post draft was prepared far earlier than this release date.
自 2023 年 1 月初以来,Check Point Research 一直与 MSRC 就此问题进行合作。自 1 月以来,我们一直忙于为我们的客户开发和提供各种保护措施来抵御这种攻击技术。博客文章草稿的其余部分早于此发布日期。

On July 17th, we tested our PoC again on the latest Office 2021 (Current Channel, version 2306, build 16529.20182), and found that Microsoft already mitigated the attack in this Office version – when the PoC runs, a warning dialog is now displayed to the end user.
7 月 17 日,我们在最新的 Office 2021(当前频道,版本 2306,内部版本 16529.20182)上再次测试了我们的 PoC,发现 Microsoft 已经缓解了此 Office 版本中的攻击——当 PoC 运行时,现在会向最终用户显示一个警告对话框。

  • We only confirmed the issue is mitigated in the above specifically-mentioned Office/Access version (Current Channel, version 2306, build 16529.20182), we can’t rule out if any other Office/Access versions are still not mitigated, because there’re so many update channels and versions for Office / Microsoft 365 apps. Usually only the vendor can get the accurate information about patching and mitigation.
    我们仅确认该问题在上述特别提到的 Office/Access 版本(当前频道,版本 2306,内部版本 16529.20182)中得到缓解,我们不能排除任何其他 Office/Access 版本是否仍未缓解,因为 Office / Microsoft 365 应用程序有很多更新频道和版本。通常,只有供应商才能获得有关修补和缓解的准确信息。
  • In July we sent an email to MSRC trying to look for more information, and if this is indeed mitigated/patched or if they would like to release an official security update. This was followed by further inquires in October and early November. However, we were unable to obtain conclusive answer because the issue is considered as “low/none severity”, according to the MSRC reply.
    7 月,我们向 MSRC 发送了一封电子邮件,试图查找更多信息,以及这是否确实得到了缓解/修补,或者他们是否希望发布官方安全更新。随后在10月和11月初进行了进一步的调查。然而,根据MSRC的答复,我们无法获得结论性的答案,因为该问题被认为是“低/无严重性”。
  • Please note that, even with the new warning dialog, there’s no elegant way for the users to stop the NTLM leaking, because the only option for the user to choose is “OK”, as shown in the picture (or, the “X” in the top right corner. Clicking the “X” is the same as clicking the “OK”, as per our tests). Our tests showed that clicking the “OK” button would continue the exploitation. If the user doesn’t click the “OK” button, the exploit wouldn’t continue. Therefore, if you’re an Office user and you see such a dialog popping up, it’s likely there’s an exploitation being taken place, so please don’t click the “OK” button or the “X”. You may forcefully shut down the “MSACCESS.EXE” process via Windows Task Manager, that will stop the exploitation totally.
    请注意,即使使用新的警告对话框,用户也无法优雅地阻止 NTLM 泄漏,因为用户选择的唯一选项是“确定”,如图所示(或右上角的“X”。根据我们的测试,单击“X”与单击“确定”相同)。我们的测试表明,单击“确定”按钮将继续利用。如果用户不单击“确定”按钮,则漏洞利用将不会继续。因此,如果您是 Office 用户,并且看到弹出这样的对话框,则很可能正在发生漏洞利用,因此请不要单击“确定”按钮或“X”。您可以通过Windows任务管理器强制关闭“MSACCESS.EXE”进程,这将完全停止利用。

Clarification related to the Outlook zero-day attack (CVE-2023-23397)
与 Outlook 零日攻击 (CVE-2023-23397) 相关的说明

During the time of preparing this publication, on March 14th, Microsoft announced a significant zero-day attack in the wild targeting Outlook users in Ukraine. Check Point Research has been closely researching and monitoring the Outlook zero-day attack as well. As many of our readers have been probably aware of the news by now, the technique disclosed in this blog post also involves NTLM credential stealing. As they both try to achieve the same goal, we feel it’s good to clarify things between these two cases.
在准备本出版物期间,3 月 14 日,Microsoft 宣布了针对乌克兰 Outlook 用户的重大零日攻击。Check Point Research 也一直在密切研究和监控 Outlook 零日攻击。由于我们的许多读者现在可能已经知道这个消息,这篇博文中披露的技术还涉及 NTLM 凭据窃取。由于他们都试图实现相同的目标,我们认为澄清这两种情况之间的事情是件好事。

The same: the goals of the two techniques are both stealing the victim’s NTLM credentials; and in both of the attacking scenarios the attacker is attacking the victim from external (Internet) perspective.
相同:这两种技术的目标都是窃取受害者的 NTLM 凭据;在这两种攻击场景中,攻击者都是从外部(互联网)角度攻击受害者。

The difference: 区别:

  • The Outlook zero-day was abusing a feature (”reminder”) in Outlook. The most powerful/innovative part of the zero-day, is the attack vector. It’s delivered via Outlook as a malicious Mail/Meeting/Task object, the victim doesn’t even need to read their emails. The attack can be successful as long as the victim opens their Outlook. However, this attack, like many other similar “NTLM stealing” attacks, has its limitations – it can’t work if the organization has blocked the outbound traffic to ports 139/445. Had the admins done that on their gateway and firewalls, the attack would fail.
    Outlook 零日漏洞滥用了 Outlook 中的一项功能(“提醒”)。零日攻击最强大/最具创新性的部分是攻击媒介。它通过 Outlook 作为恶意邮件/会议/任务对象传递,受害者甚至不需要阅读他们的电子邮件。只要受害者打开他们的 Outlook,攻击就可以成功。但是,与许多其他类似的“NTLM 窃取”攻击一样,这种攻击也有其局限性——如果组织阻止了到端口 139/445 的出站流量,它就无法工作。如果管理员在他们的网关和防火墙上这样做,攻击就会失败。
  • This “NTLM stealing via MS Access” technique’s most powerful part is that it could deal with the above mitigation for the Outlook zero-day and likewise, it could bypass the “139/445 port blocking” mitigation. However, it also has its limits – it can’t be run automatically via Outlook (such as previewing an email or triggering a “reminder”), it has to be delivered via ‘traditional ways’ where the victim must open a malicious .accdb Outlook attachment.
    这种“通过 MS Access 窃取 NTLM”技术最强大的部分是它可以处理上述 Outlook 零日漏洞的缓解措施,同样,它可以绕过“139/445 端口阻止”漏洞。但是,它也有其局限性 - 它不能通过Outlook自动运行(例如预览电子邮件或触发“提醒”),它必须通过“传统方式”传递,受害者必须打开恶意的.accdb Outlook附件。

As you have seen, the two techniques have both their advantages and limitations. Can they be combined together to achieve “the most powerful NTLM stealing attack”? That’s a good question we’ve thought. However (good thing), we researched them in depth and concluded that the answer is no, you can’t have both at the same time.

Check Point IPS has developed and deployed a signature named “Microsoft Windows NTLM Information Disclosure” to detect and protect our customers against the NTLM leak.
Check Point IPS 开发并部署了名为“Microsoft Windows NTLM 信息泄露”的签名,以检测和保护我们的客户免受 NTLM 泄漏的影响。

More information regarding IPS protection can be found here,
有关 IPS 保护的更多信息,请参见此处,




版权声明:admin 发表于 2023年11月11日 上午11:51。