Poc Exploit Unveiled for Microsoft Office 0-Day Vulnerability – CVE-2024-38200

Poc Exploit

Security researchers have released a proof-of-concept (POC) exploit for the recently disclosed Microsoft Office vulnerability CVE-2024-38200, which could allow attackers to capture users’ NTLMv2 hashes. 

Cybersecurity is a mix of rules, best practices, and technological tools that help protect your essential systems and data from unauthorized access. Microsoft Security offers real-time threat intelligence by using enormous amounts of data gathered from its massive user network. The Microsoft Smart Security Graph provides proactive detection and response to new dangers, putting you one step ahead of hackers. 

A proof of concept exploit is a benign attack on a computer or network, and it is also an advanced demo project that represents an actual scenario. PoC exploits are not intended to inflict harm but rather to demonstrate security flaws within software. Since growing products by getting technology can be too hard, it is often smaller than full-scale development, lasting from a few days to a few months. POC plays a role in the decision-making process because the results can be interesting enough to recognize potential problems before they happen. 

Founded in 1975, they are a young company by many standards, which may be a contributing factor to their success.  

A discovered zero-day vulnerability is putting Microsoft Office users at risk. Security researcher Metin Yunus Kandemir recently published the technical details and proof-of-concept (PoC) exploit that reveals a critical information disclosure flaw (CVE-2024-38200) in Microsoft Office. This vulnerability, which affects multiple versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise, has raised concerns among security professionals, as it opens doors for unauthorized actors to access protected information. 

The vulnerability starts from an error in information disclosure that could allow unwelcome actors to gain access to sensitive, protected data. In particular, the weakness could be used in a web-based attack scenario in which an attacker hosts or uses a hacking website to distribute a specially created file that exploits the vulnerability. However, the attacker cannot force people to visit the malicious website; instead, they must use methods of social engineering, such as drawing the target via email or instant messaging, to get them to click on a link and open the compromised file. 

CVE-2024-38200 exploits an information disclosure weakness in Microsoft Office that allows attackers to capture sensitive authentication data, such as NTLMv2 hashes, over HTTP and SMB protocols. The exploit can be initiated by tricking users into clicking a specially crafted link that leads to a malicious document hosted on a compromised or attacker-controlled website. Once the file is opened in vulnerable versions of Office, attackers can capture NTLMv2 hashes, an essential element for launching NTLM Relay attacks on domain controllers. 

If specific choices are used, such as adding IP ranges to Trusted Sites or allowing automatic login for User Authentication, the Office application will conduct NTLM authentication automatically, making exploitation easier. 

Vulnerable versions include: 

Microsoft Office 2016 (32/64 bit) 

Microsoft Office 2019 (32/64 bit) 

Microsoft Office 2021 (32/64 bit) 

Microsoft 365 Apps for Enterprise (32/64 bit) 

On April Patch Tuesday, Microsoft improved the channel via Windows Update to provide AMD CPUs with more robust Specter vulnerability prevention. This wave of system-level patching focuses on Phantom variant 2 (CVE-2017-5715), which affects at least some AMD CPUs running Windows 10 OS. This update describes the Indirect Branch Prediction Barrier (IBPB). Take control. It offers abilities such as Advanced Threat Protection, Data Loss Prevention, and email filtering to protect against phishing and other dangers. 

Microsoft Office is a set of programs designed to help people be more productive and do everyday activities on their computers. You can create and edit text and image-based documents, deal with data in database and spreadsheet systems, and design presentations and posters. Microsoft Services provides an integrated approach to security, identity, and cybersecurity. 

When will the final update be available?   

The Security Updates table will be revised when the update is publicly available. A Threat Intelligence Sharing Network can significantly bolster an organization’s cybersecurity strategy by fostering collaboration and enhancing collective defenses against cyber threats. If you wish to be notified when this update is released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications.  

Awareness about Microsoft vulnerabilities and promote proactive cybersecurity measures:  

Awareness about security Training: Organize workshops addressing the value of updating patches for Microsoft products. Educate participants on the importance of updating software on a regular basis to reduce vulnerabilities. 

Security Notification Network: Create a place for cybersecurity professionals to report and discuss newly discovered Microsoft vulnerabilities while providing insights and best practices for fixing them. 

Case Study Series: Create a series of case studies that analyze widespread Microsoft vulnerabilities like Eternal Blue or Print Nightmare, describing their impact, exploitation techniques, and how enterprises might defend themselves. 

Automated Patch Management program: Create a program that allows businesses to automate the patching process for Microsoft products, making sure the products are up to date with the latest security updates.  

Cybersecurity Education Courses: Develop online training modules for Microsoft products that teach users how to recognize and react to potential vulnerabilities in programs such as Windows and Office. 

Threat Intelligence Sharing Network: Build up a network for businesses to share information on Microsoft vulnerabilities and threat intelligence while promoting collaboration to improve security in general. 

Vulnerability Assessment Tools: Create tools or scripts that help companies evaluate their Microsoft environments for known vulnerabilities and make actionable recommendations for improvement. Microsoft offers resources, webinars, and training programs to educate organizations about cybersecurity best practices. This includes Microsoft Learn and the Cybersecurity Reference Architecture. 

Microsoft’s exploitability assessment suggests that using CVE-2024-38200 is less likely, but users and organizations must stay watchful. To further limit the danger, Microsoft offered three during strategies: 

  • Network Security Configuration 
  • Protected Users Security Group 
  • Outbound TCP 445/SMB Blocking 

​​References

https://securityonline.info/0-day-flaw-cve-2024-38200-in-microsoft-office-exposes-ntlmv2-hashes-poc-exploit-released/

https://cybersecuritynews.com/poc-exploit-office-0-day-flaw/

Share this post :
Picture of Hoplon Infosec
Hoplon Infosec

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter

Subscribe to our newsletter for free cybersecurity tips and resources directly in your inbox.