OpenBullet2 NTLMv2 Hash Disclosure Vulnerability via UNC Path Proxy Source

A credential disclosure vulnerability exists in OpenBullet2 versions through 0.3.2 on Windows. This vulnerability allows remote attackers to capture the NTLMv2 hash of the process user. Exploitation involves configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job is executed, the application attempts to load proxies from the UNC path, inadvertently triggering an SMB authentication attempt that discloses the NTLMv2 hash. This hash can then be relayed or cracked offline.

Impact

Successful exploitation leads to the disclosure of the NTLMv2 hash, which can be relayed or cracked offline, allowing for potential unauthorized access or impersonation.

Reproduction

To reproduce this vulnerability, upload a job configuration that includes a UNC path pointing to an attacker-controlled server. When the job is executed, OpenBullet2 will attempt to load proxies from the specified UNC path, triggering an SMB authentication request that discloses the NTLMv2 hash of the user running the OpenBullet2 process. This hash can be captured using a tool like Responder.

Remediation

As a temporary measure, set a random API key in the OpenBullet2 settings to prevent unauthorized access. A permanent fix would require input sanitization to prevent the use of UNC paths that could lead to NTLMv2 hash disclosure.