WordPad is a word processor software included with Windows 95 and later, until Windows 11. Similarly to its predecessor Microsoft Write, it is a basic word processor, positioned as more advanced than the Notepad text editor by supporting rich text editing, but with a subset of the functionality of Microsoft Word.
Earlier versions primarily supported a subset of the Rich Text Format (RTF, .rtf) and Microsoft Word 6.0 formats, although support for these formats were removed beginning with Windows XP Service Pack 2 and Windows Vista respectively for security reasons. Current versions are capable of saving Office Open XML (OOXML, .docx) and OpenDocument Text (.odt) files.
The WordPad application in Microsoft Windows can be exploited in order to improperly access sensitive NTLM Hashes. The NTLM hash is the cryptographic format in which user passwords are stored on Windows systems. NTLM hashes are stored in the SAM (security account manager) or NTDS file of a domain controller. They are a fundamental part of the mechanism used to authenticate a user through different communications protocols.
Exploit is possible in one of two ways:
If an attacker is able to gain NTLM hashes, they may be able to perform privilege escalation attacks and gain access to unauthorised user contexts, from which they could execute arbitrary code or commands on the system.
NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-10-11. Prioritisation should be given to remediation in any impacted environment.
Customers are advised to upgrade to the latest version of the impacted Microsoft Windows Instance(s). Update guidance is provided at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36563.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
No official mitigation guidance is offered by the vendor. It may be possible to consider blocking outbound NTLM over SMB on Windows 11, to hamper NTLM-relay exploits until the vulnerability is formally patched.
NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.
Category: Sensitive Data Disclosure
AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
