Executive Summary

OpenBullet2 version 0.3.2 and earlier on Windows contains a vulnerability where remote attackers can capture the NTLMv2 hash of the process user.

This happens when a job proxy source is configured with a UNC path pointing to an attacker-controlled SMB server. When the job runs, OpenBullet2 tries to load proxies from that UNC path, triggering an SMB authentication attempt.

This authentication attempt leaks the NTLMv2 hash, which attackers can then relay to other systems or crack offline using brute-force methods.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in OpenBullet2 allows remote attackers to capture NTLMv2 hashes of the process user, which can be relayed or cracked offline. This credential disclosure can lead to unauthorized access to sensitive systems or data.

Such unauthorized disclosure of credentials and potential access to protected information can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access.

Specifically, the exposure of authentication hashes could lead to breaches of confidentiality, violating data protection principles mandated by these regulations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to credential disclosure, specifically leaking the NTLMv2 hash of the user running the OpenBullet2 process.

An attacker who obtains this hash can perform relay attacks to gain unauthorized access to other systems or crack the hash offline to recover the user's password.

Such unauthorized access can compromise system security and potentially lead to further exploitation within the affected environment.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring SMB authentication attempts originating from OpenBullet2 jobs configured with UNC path proxy sources. Specifically, look for SMB connections to unusual or attacker-controlled servers that coincide with OpenBullet2 job executions.

Network administrators can use network monitoring tools or packet capture utilities to detect SMB authentication attempts that may leak NTLMv2 hashes.

• Use Wireshark or tcpdump to capture SMB traffic and analyze for authentication attempts to suspicious UNC paths.
• Run the following command on a Windows system to monitor SMB sessions: `Get-SmbSession` in PowerShell to identify active SMB connections.
• Use Windows Event Viewer to check for security logs related to SMB authentication attempts (Event ID 4624 for successful logons).

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, avoid configuring OpenBullet2 jobs with proxy sources that use UNC paths pointing to untrusted or external SMB servers.

Restrict or monitor SMB traffic from OpenBullet2 hosts to prevent connections to attacker-controlled servers.

Apply the latest updates or patches from OpenBullet2 if available, or upgrade to a version later than 0.3.2 where this vulnerability is fixed.

Limit the privileges of the user running OpenBullet2 to reduce the impact of any credential disclosure.

Useful 0 Not Useful 0