CVE-2020-12772 in Spark
Summary
by MITRE
An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. A chat message can include an IMG element with a SRC attribute referencing an external host's IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request. This allows an attacker to collect these hashes, crack them, and potentially compromise the computer. (ROAR can be configured for automatic access. Also, access can occur if the user clicks.)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/13/2020
This vulnerability exists in Ignite Realtime Spark 2.8.3 and its ROAR plugin on Windows systems, representing a critical security flaw that enables credential harvesting through malicious image references. The issue stems from the application's improper handling of external resource requests within chat messages, specifically when processing IMG elements with SRC attributes pointing to external hosts. When a user accesses a malicious chat message containing such an image reference, the application automatically attempts to fetch the image from the external server, inadvertently transmitting the user's NTLM authentication hashes as part of the HTTP request. This behavior creates an attack surface where adversaries can exploit the trust relationship between the client application and external servers to collect authentication credentials. The vulnerability is particularly dangerous because it operates without requiring user interaction beyond viewing the message, and the ROAR plugin can be configured to automatically access external resources, making the attack vector more insidious.
The technical implementation of this flaw involves the application's failure to properly validate or sanitize external resource references within chat messages, specifically the IMG tag's SRC attribute. When a chat message contains an image element referencing an external IP address, the Spark client performs an HTTP GET request to retrieve the image content. During this process, the HTTP request includes NTLM authentication headers that contain the user's NTLM hash, which is automatically included by the Windows authentication system when accessing external resources. This occurs because the Windows authentication subsystem automatically attempts to authenticate the user against the external host using their existing credentials, thereby exposing the hash. The vulnerability is classified under CWE-200 as exposure of sensitive information and aligns with CWE-352 as cross-site request forgery, though in this case the CSRF aspect manifests through the automatic retrieval of external resources rather than malicious form submissions. The attack follows the pattern described in the MITRE ATT&CK framework under technique T1078 for valid accounts and T1566 for credential harvesting through social engineering.
The operational impact of this vulnerability extends beyond simple credential theft, as successful exploitation can lead to full system compromise and lateral movement within network environments. Once an attacker has obtained the NTLM hash, they can attempt to crack it using various techniques including rainbow table attacks or brute force methods, potentially gaining access to domain accounts with elevated privileges. The automatic nature of the hash transmission makes this vulnerability particularly dangerous in environments where users frequently interact with external chat systems or receive messages from untrusted sources. The ROAR plugin's configuration capability to enable automatic access to external resources amplifies the threat, as users may unknowingly expose their credentials simply by viewing a malicious message. This vulnerability also represents a significant risk in enterprise environments where users may have access to sensitive systems and data, as compromised credentials can lead to unauthorized access to critical infrastructure and information systems.
Mitigation strategies for this vulnerability should focus on implementing network-level restrictions and application configuration changes to prevent automatic external resource access. Organizations should configure their Spark clients to disable automatic access to external resources and implement strict firewall rules to block outbound requests to external hosts from the chat application. Network administrators should also consider implementing network segmentation to isolate chat systems from critical infrastructure and deploy intrusion detection systems to monitor for unusual outbound HTTP requests containing authentication headers. Application-level mitigations include updating to versions that properly sanitize external resource references and implementing content security policies that prevent automatic loading of external images. Additionally, users should be educated about the risks of viewing messages from untrusted sources and the importance of verifying the legitimacy of chat communications before interacting with any embedded resources. The vulnerability highlights the importance of secure coding practices in client applications and the need for comprehensive input validation to prevent information disclosure through seemingly innocuous features like image embedding in chat messages.