CVE-2024-33881
📋 TL;DR
This vulnerability in Virto Bulk File Download for SharePoint allows attackers to force the server to authenticate to a malicious UNC share, potentially leaking NTLMv2 password hashes. It affects SharePoint 2019 installations using Virto Bulk File Download 5.5.44. Attackers could capture these hashes for offline cracking or relay attacks.
💻 Affected Systems
- Virto Bulk File Download for SharePoint
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture domain administrator NTLMv2 hashes, crack them offline, gain domain admin privileges, and compromise the entire Active Directory domain.
Likely Case
Attackers capture service account or user NTLMv2 hashes, crack weaker passwords, and gain unauthorized access to SharePoint resources or lateral movement within the network.
If Mitigated
With proper network segmentation and monitoring, attackers can only capture hashes but cannot crack them or use them for lateral movement due to strong password policies.
🎯 Exploit Status
Exploitation requires the attacker to control a malicious SMB server to capture the NTLMv2 hash. The vulnerability is in the isCompleted method that processes UNC paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.45 or later
Vendor Advisory: https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq
Restart Required: Yes
Instructions:
1. Download the latest version from VirtoSoftware. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart SharePoint services. 5. Verify the patch is applied.
🔧 Temporary Workarounds
Block UNC Path Processing
windowsModify the Download.ashx handler to reject UNC paths (starting with \\) in the path parameter
Edit Virto.SharePoint.FileDownloader/Api/Download.ashx to add validation: if (path.StartsWith("\\\\")) { throw new Exception("UNC paths not allowed"); }
Network Segmentation
windowsBlock outbound SMB (ports 139, 445) from SharePoint servers to untrusted networks
Windows Firewall: New-NetFirewallRule -DisplayName "Block SMB Outbound" -Direction Outbound -Protocol TCP -RemotePort 139,445 -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation to prevent SharePoint servers from communicating with untrusted SMB servers
- Enable SMB signing and encryption to make hash capture more difficult, though this doesn't prevent the initial leak
🔍 How to Verify
Check if Vulnerable:
Check if Virto Bulk File Download version is 5.5.44 installed on SharePoint 2019. Verify the existence of /Virto.SharePoint.FileDownloader/Api/Download.ashx endpoint.Check Version:
Check Virto Bulk File Download version in SharePoint Central Administration or the application's web.config fileVerify Fix Applied:
After patching, test that UNC paths (e.g., \\attacker\share) in the path parameter are rejected by the Download.ashx endpoint.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /Virto.SharePoint.FileDownloader/Api/Download.ashx with UNC paths in parameters
- Windows Event Logs showing SMB authentication attempts from SharePoint server to unusual IPs
Network Indicators:
- Outbound SMB connections from SharePoint server to external/untrusted IPs
- NTLM authentication traffic to non-corporate SMB servers
SIEM Query:
source="web_server_logs" AND uri_path="/Virto.SharePoint.FileDownloader/Api/Download.ashx" AND query_string="*\\\\*"🔗 References
- https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq
- https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf
- https://docs.virtosoftware.com/v/virto-security-frequently-asked-questions-faq
- https://download.virtosoftware.com/Manuals/nu_ncsc_virto_one_bulk_file_download_v5.4.4_pt_disclosure.pdf
