NTLM Credential Theft in Python Windows Applications Discovered in Popular Frameworks

On August 23, 2024, Horizon3.ai released a report exposing critical vulnerabilities in three widely used Python frameworks: Gradio, Jupyter Server, and Streamlit.

NTLM Credential Theft in Python Windows Applications Discovered in Popular Frameworks
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (August 2024)

Introduction

On August 23, 2024, Horizon3.ai released a report exposing critical vulnerabilities in three widely used Python frameworks: Gradio, Jupyter Server, and Streamlit. These vulnerabilities, which affect NTLMv2 hash disclosure, are particularly concerning for Windows users, as unauthenticated attackers can exploit them to harvest credentials. 

NTLMv2 hash theft is a credential harvesting technique that exploits Windows' automatic authentication behaviour. Traditionally, this technique has been employed in internal penetration tests using tools like Responder or ntlmrelayx. The exploitation typically involves legacy protocols such as LLMNR/NBT-NS or forced authentication vulnerabilities like PetitPotam. While NTLMv2 hash theft is often associated with internal threats, recent cases have shown its applicability over the internet, particularly by exploiting Microsoft Outlook.

The vulnerabilities disclosed by Horizon3.ai are rooted in how certain Python frameworks handle file system operations on Windows. Specifically, the flaws allow unauthenticated attackers to capture or relay NTLMv2 hashes, leading to potential remote code execution. The affected frameworks—Gradio by Hugging Face, Jupyter Server, and Streamlit by Snowflake—are widely used in the AI and data science communities, heightening the risk of exploitation.

Report Overview

The vulnerabilities involve how these Python frameworks process file paths on Windows. In Gradio, for instance, the issue lies in how the framework’s file API endpoint handles user-provided paths. By exploiting the Path.is_dir()method on an unvalidated path, an attacker can force Gradio to connect to a malicious SMB server, leaking the NTLMv2 hash of the user running Gradio.

In the case of Jupyter Server, the vulnerability stems from the FileFindHandler function, which fails to verify that a user-provided path is within a restricted directory before making a file system call to os.path.isfile. This oversight allows attackers to provide a UNC path, resulting in NTLMv2 hash disclosure.

Streamlit, another popular framework, is vulnerable through its AppStaticFileHandler.validate_absolute_pathfunction. Here, the call to os.path.isdir occurs before validating the user-provided path, enabling attackers to exploit the application similarly.

Insights and Analysis

The disclosed vulnerabilities pose a significant risk to organizations and individuals using the affected frameworks on Windows. Given the widespread adoption of Gradio, Jupyter Server, and Streamlit in AI and data science projects, the potential for exploitation is high. Once an attacker obtains an NTLMv2 hash, they can either crack it to reveal the plaintext password or relay it to gain unauthorized access to other network resources. This threat is perilous when the compromised user has high-level privileges.

Fixes and Preventative Measures

To mitigate the risks, Horizon3.ai recommends the following actions:

  1. Update to the Latest Versions: Ensure you run Gradio 4.20+, Jupyter Server 2.14.1+, and Streamlit 1.37.0+ to patch the vulnerabilities.
  2. Network Security Configurations: Configure firewalls to block SMB traffic to the internet, reducing the likelihood of forced authentication vulnerabilities.
  3. Upgrade Python Versions: For those using Python on Windows, updating to version 3.11.2+ will address the underlying issues with os.path.isabs.

The associated security risks are evolving as Python continues to dominate the AI and data science landscape, particularly on Windows systems. The vulnerabilities highlighted in Horizon3.ai's report underscore the importance of vigilant security practices, especially in environments where Python applications are deployed on Windows. Developers, security professionals, and users must remain alert to these threats and ensure their systems are adequately protected.

Indicators of Compromise (IOCs)

IndicatorTypeDescription
No specific Indicators of Compromise (IOCs) were provided in the source material.

MITRE ATT&CK Techniques

TacticTechniqueIDDescription
Credential AccessNTLM Relay/Pass-the-HashT1550.003Exploiting NTLMv2 hashes to authenticate to other systems or services.
Lateral MovementPass the HashT1550.002Using captured NTLMv2 hashes to move laterally across a network.

References:

NTLM Credential Theft in Python Windows Applications – Horizon3.ai
NTLM credential theft vulnerabilities in Python Windows applications: Jupyter Notebook CVE-2024-35178, Streamlit from Snowflake CVE-2024-42474 and Hugging Face Gradio CVE-2024-34510