Researchers at Horizon3.ai have uncovered a significant security flaw in Python applications running on Windows that could enable hackers to pilfer NTLM credentials. NTLM, short for NT Lan Manager, is an old-school authentication protocol still prevalent in many Windows setups.
This vulnerability essentially hands attackers the keys to a user's network and sensitive information if exploited, potentially compromising entire systems.
The method of attack involves what's known as NTLMv2 hash theft, a technique often employed in internal penetration testing. This exploit leverages outdated protocols like LLMNR/NBT-NS and vulnerabilities such as forced authentication (e.g., PetitPotam), frequently by manipulating applications like Microsoft Outlook. Tools like responder and ntlmrelayx are the go-to for attackers looking to exploit these weaknesses. The issue was spotlighted when Horizon3.ai's Naveen Sunkavally discussed how these thefts could occur during web app audits through vulnerabilities like Server-Side Request Forgery (SSRF) or XML External Entities (XXE) on Windows hosts.
The vulnerabilities stem from how Python handles file operations, particularly when input isn't properly validated, leading to the exposure of NTLMv2 hashes. This problem was found in several popular Python frameworks including Gradio by Hugging Face, Jupyter Server, and Streamlit from Snowflake, which are integral to tools like Jupyter Notebook, JupyterLab, and Streamlit. For instance, Gradio's mishandling of file paths on Windows allows attackers to send malicious paths to a server, thereby revealing the NTLMv2 hash. Similar issues were identified in how these frameworks manage file paths, with specific flaws in functions like Python's os.path.isabs and how applications check file existence before path validation. This not only risks hash exposure but also enables attackers to perform relay attacks, gaining access to other network resources as demonstrated in real-world tests by NodeZero. To mitigate these risks, users are advised to update their systems, block unnecessary outgoing SMB traffic, and ensure they're using the latest versions of affected applications.