4.3
CVSSv2

CVE-2019-1040

Published: 12/06/2019 Updated: 13/06/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

A vulnerability in the NT (New Technology) LAN Manager (NTLM) component of Microsoft Windows could allow an unauthenticated, remote malicious user to bypass security restrictions on a targeted system. The vulnerability exists because the NTLM MIC (Message Integrity Check) is susceptible to tampering during the NTLM exchange. An attacker could exploit the vulnerability by modifying flags on the NTLM packet during the exchange. A successful exploit could allow the malicious user to modify the flags without invalidating the signature and bypass NTLM MIC restrictions. Microsoft confirmed the vulnerability and released software updates.

Vulnerability Trend

Github Repositories

CVE-2019-1040 Great writeup! Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin So, I wrote CVE-2019-1040py for easy to use You can also check out my exchange2domain repo: githubcom/ridter/exchange2domain, another way to use exchange to get DC Requirements These tools require impacket You can install it from pip with pip install i

UltraRelay Updated by Lazaar Sami for the exploit CVE-2019-1040 UltraRelay is a tool for LLMNR poisoning and relaying NTLM credentials It is based on Responder and impack I have updated the original version (githubcom/5alt/ultrarelay) for the exploit CVE-2019-1040 Dirk-jan Mollema has updated ntlmrelayx (part of githubcom/CoreSecurity/impacket) to have a --

CVE-2019-1040 scanner Checks for CVE-2019-1040 vulnerability over SMB The script will establish a connection to the target host(s) and send an invalid NTLM authentication If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx Note that this does not generate failed login attempts as the login information itself

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账号漏洞 基

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账号漏洞 基

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账号漏洞 基

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账号漏洞 基

Change-Lockscreen Change-Lockscreen is a tool to trigger network authentications as SYSTEM by changing the Windows lock screen image from the command line to perform privilege escalation attacks such as the one described in the post linked below: wwwnccgrouptrust/uk/about-us/newsroom-and-events/blogs/2019/august/kerberos-resource-based-constrained-delegation-when-an-

DomainUserToDomainAdminTechniques Techniques that can be used to get from domain user to domain admin Powerup PowerupSQL Find-InterestingFile Invoke-Kerberoast Get-GPPPassword Bloodhound Find-localadminaccess Domain Password Spray Inveigh - LLMNR NBNS Poisioning Get-ExploitableSystem PowerWebShot Invoke-ShareFinder / Invoke-FileFinder SCCM Matt Nelson

Active Directory Kill Chain Attack & Defense Summary This document was designed to be a useful, informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance to mitigation, detection, and prevention And understand Active Directory Kill Chain Attack and Mo

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask Max Nginx Objective-C Objective-C++ Others PHP PLpgSQL Pascal Perl PostScri

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 address | introduce | -|-|- 名字 | 介绍 | 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome awesome系列 wwwowasporgcn/owasp-pr

Recent Articles

Microsoft Patch Tuesday – June 2019
Symantec Threat Intelligence Blog • Himanshu Mehta • 12 Jun 2019

This month the vendor has patched 88 vulnerabilities, 20 of which are rated Critical.

Posted: 12 Jun, 201931 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinMicrosoft Patch Tuesday – June 2019This month the vendor has patched 88 vulnerabilities, 20 of which are rated Critical.As always, customers are advised to follow these security best practices:


Install vendor patches as soon as they are available.
Run all software with the least privileges required while still mainta...

Microsoft Patches Four Publicly-Known Vulnerabilities
Threatpost • Tom Spring • 11 Jun 2019

Microsoft patched four Windows operating system bugs – all of which are already publicly known or have proof of concept exploits – as part of its June Patch Tuesday security bulletin. Each of the vulnerabilities are rated important and there are no reports of public exploitation for the flaws.
The four bugs are part of a total of 88 vulnerabilities that were patched by Microsoft this month, 21 of which are rated critical, 66 rated important and one moderate.
Raising the most conc...

Near-Ubiquitous Microsoft RCE Bugs Affect All Versions of Windows
Threatpost • Tara Seals • 11 Jun 2019

UPDATE
Two Microsoft vulnerabilities, CVE-2019-1040 and CVE-2019-1019, would allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.
According to researchers at Preempt, who discovered the flaws, the two CVEs consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. A successful exploit would allow an attacker to read a...

Microsoft NTLM Flaws Expose All Windows Machines to RCE Attacks
BleepingComputer • Sergiu Gatlan • 11 Jun 2019

Two critical vulnerabilities in Microsoft's NTLM authentication protocol consisting of three logical flaws make it possible for attackers to run remote code and authenticate on machines running any Windows version.
As Preempt's research team discovered, threat actors can "remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS."
The Windows NTLM (short for NT LAN Manager)...