CVE-2020-24772 in Dreamacro
Summary
by MITRE • 03/21/2022
In Dreamacro 1.1.0, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/23/2022
This vulnerability exists within the Dreamacro project version 1.1.0 where an attacker can manipulate a website to embed a malicious iframe that triggers the Clash Windows client to connect to a remote SMB share. The technical flaw stems from insufficient input validation and improper handling of user-supplied URLs that leads to arbitrary execution of the Clash client with elevated privileges. When the Windows client attempts to open the SMB share, the operating system automatically performs NTLM authentication which exposes the authentication process to relay attacks. The vulnerability is categorized under CWE-20 Improper Input Validation and aligns with ATT&CK technique T1566.001 Initial Access: Spearphishing Attachment, where malicious content is delivered through web-based attack vectors.
The operational impact of this vulnerability is significant as it allows for credential relay attacks without requiring user interaction beyond visiting a malicious website. The Windows authentication process automatically attempts NTLM authentication when accessing SMB shares, creating an opportunity for attackers to capture authentication hashes using tools like responder or impacket. These captured hashes can then be used for pass-the-hash attacks or cracked using password spraying techniques to gain unauthorized access to systems. The vulnerability affects Windows environments where the Clash client is installed and running with sufficient privileges to access network shares, making it particularly dangerous in enterprise environments where SMB shares are commonly used for file access and resource sharing.
Mitigation strategies should focus on network-level protections including implementing SMB signing requirements, disabling NTLM authentication where possible, and configuring firewalls to block SMB traffic from untrusted sources. Organizations should also consider disabling the automatic opening of SMB shares by client applications and implementing strict URL validation for all web applications that interact with system components. The use of modern authentication methods such as Kerberos instead of NTLM, along with network segmentation and monitoring for unusual SMB traffic patterns, can help detect and prevent exploitation attempts. Additionally, regular patching of the Dreamacro project and other affected software components is essential to prevent exploitation of this vulnerability. Security awareness training for users to recognize potentially malicious websites and links should also be implemented as a defense-in-depth measure against social engineering components of this attack vector.