Mintty Improper Input Validation Leading to NTLM Hash Disclosure Vulnerability

A vulnerability in Mintty, a terminal emulator for Cygwin, MSYS, and WSL, has been identified in versions 2.3.6 prior to 3.7.4. This vulnerability allows several escape sequences to be used to access files in specified paths. When these escape sequences are printed in the terminal, they can trigger the Mintty process to initiate a connection to an arbitrary network path, negotiating an NTLM hash from the victim's machine to an attacker-controlled remote host. The extracted NTLMv2 hashes can be exploited using Pass-the-Hash techniques or cracked with password cracking tools. The issue arises from an API provided by MSYS2, which, while intended to convert POSIX paths to Windows paths, inadvertently checks for symbolic links, triggering the vulnerability. This same code, forked from Cygwin, could theoretically introduce similar vulnerabilities.

Impact

Exploitation of this vulnerability allows for the extraction of NTLMv2 hashes from the victim's machine, which can be used in Pass-the-Hash attacks or cracked with tools like Hashcat or John the Ripper.

Reproduction

To reproduce this vulnerability, set up a Windows VM with Mintty version 3.7.1 installed via Git. On a Linux-based attacker VM, prepare an SMB server using Impacket's smbserver.py or Responder, ensuring no other SMB services are running. Print the crafted escape sequence payload in the Mintty terminal. The NTLMv2 hash should then be captured by the SMB server.

Remediation

Users can update to Mintty version 3.7.5, which addresses this vulnerability.