ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability Severity CVSS v3 Base Score: 5.3/10 Severity: Moderate Affected and Patched Versions Affected versions: >= 2.3.6 <= 3.7.4 Patched versions: 3.7.5 Description Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability Vulnerability Details CVSS: 5.3/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Mintty - Mintty Impact Several escape sequences can cause the mintty process to access a file in a specific path. An attacker can specify an arbitrary network path, negotiate an NTLM hash out of the victim's machine to an attacker controlled remote host. NetNTLMv2 hashes can be used to Pass the Hash, or password cracking using tools like hashcat or johntheripper. Reproduction Steps 1. Setup an attacker VM (Linux based) and a victim VM (Windows). 2. Modify the payload for the appropriate IP address (attacker VM's IP). 3. Run Impacket's smbserver.py or Responder with smb server enabled. 4. Make sure that other SMB services aren't running. 5. Print the adjusted payload from the beginning in mintty. 6. The victim's hash should be printed by Impacket or Responder. CVSS v3 Base Metrics Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None CVE ID CVE-2024-45301 Weaknesses CWE-20 Credits zdi-disclosures (Reporter) dscho (Coordinator)