Skip to content

Search the site

Hash, crack, and the data scientist: Trio of Python frameworks exposed

Gradio by Hugging Face, Jupyter Server, and Streamlit from Snowflake vulnerable to NTLMv2 hash disclosure of the kind recently exploited by... CISA

python frameworks NTLMv2 hash disclosure jupyter server, gradio, streamlit

A trio of popular Python frameworks – Gradio by Hugging Face, Jupyter Server, and Streamlit from Snowflake – are/were vulnerable to NTLMv2 hash disclosure. Among the risks for those not patching the bugs: That an unauthenticated attacker could crack the password exposed in an attack to gain access to Windows machines hosting such services, or “other network-accessible machines or third-party services” using the credential.

That’s according to security researchers at attack surface specialist Horizon3.ai, who recently detailed their work investigating the risk of NTLM credential theft in Python Windows applications and published details on the trio of bugs, allocated CVE-2024-34510, CVE-2024-35178, and CVE-2024-42474 respectively. (The Gradio bug was patched in May; the Jupyter Server bug patched in June, and the Snowflake bug was fixed upstream in June, but only got a Github security advisory on August 12.)

The vulnerabilities were arguably more severe than their moderate CVSS ratings of 7.5, 7.5, and 5.9 might leave many suspecting: The CVSS vector for the lowest scoring vulnerability, in Streamlit (CVE-2024-42474) for example, indicates that low privileges are required to exploit this vulnerability. Horizon3.ai said: “This assessment is not accurate – this vulnerability can be exploited by unauthenticated attackers [and the vulnerabilities disclosed] have come up in real-world pentests."(Among those recently spotted using NTLMv2 hash capture in Red Teaming exercises: CISA, which captured and exploited 55 hashes including for a service domain in a recent audit of a healthcare provider.)

(Among those recently spotted using NTLMv2 hash capture in Red Teaming exercises: CISA, which captured and exploited 55 hashes including for a service domain in a recent audit of a healthcare provider.)

NTLMv2 hash disclosure: Exploitable

NTLM v2 is a protocol used to authenticate users to remote servers; exploitation of it is a well-rehearsed vector by attackers using an ever-evolving range of techniques and harvesting of the encrypted credentials used by the protocol is “made possible by the insistence of Windows to automatically authenticate to anything it possibly can” said Horizon3.ai’s Naveen Sunkavally drily in an August 23 blog on the bugs.

As Sunkavally added, attackers can exploit NTLMv2 hash disclosure by:

“Cracking the hash to reveal the plaintext password of the user running the vulnerable service.” [or] “Relaying the hash to another network accessible target. Depending on the privileges of the victim user and configuration of the target, it’s possible to get remote code execution on the target host.”

They added: “In a lot of cases of NTLMv2 hash disclosure, the vulnerable web app runs as LocalSystem and the captured hash is that of a computer account. These accounts have long random passwords…The vulnerabilities disclosed here are more dangerous because the vulnerable applications are typically run by end users who tend to have crackable passwords. Once cracked, an attacker can then attempt to use these credentials to login to any services the victim user may have access to.”

As CISA earlier noted, NTLMv2 can be used to join a domain, authenticate between Active Directory forests, authenticate between earlier versions of Windows operating systems and authenticate computers that are not normally a part of the domain: “Cracking these passwords may enable malicious actors to establish a foothold in the domain and move laterally or elevate their privileges if the hash belongs to a privileged account.”

> Horizon3.ai’s more technically detailed post is here

> CISA’s unrelated but also NTLMv2 hash-catching exercise is here

When it comes to mitigation, users should update to the latest versions: That’s 4.20+ of Gradio, 2.14.1+ of Jupyter Server, and 1.37.0+ of Streamlit.

Sunkavally also urged defenders to “configure your host/network firewalls to block SMB traffic going out to the Internet. This is just good policy to prevent exploitation of forced Windows authentication vulnerabilities in general, such as the Outlook Elevation of Privilege vulnerability CVE-2023-23397 that is on CISA’s list of Known Exploited Vulnerabilities.”

(It’s basic good practice, but that often goes overlooked and if SMB traffic is not blocked, all three bugs can be exploited from the Internet…)

“For the security conscious, if you have users running Python on Windows, update to the latest version of Python so you don’t have to think about the bug in os.path.isabs affecting Python versions < 3.11.2.” – Horizon3.ai

Sunkuvally was referring to an issue in a version of Python that came up as the company explored the Python application vulnerabilities: In brief, it has a function called os.path.isabs that determines if a file path is absolute (e.g., starting with a drive letter on Windows or a forward slash on Unix-like systems). In versions before 3.11.2, this function incorrectly classified certain partial UNC paths (network paths) as not absolute.

These partial UNC paths have a specific format: they start with two forward slashes (//), followed by an IP address or hostname, and then a share name (e.g., //10.0.225.200/share). They must have no trailing slash or additional path elements. Another Python function, os.path.join, treated these partial UNC paths as absolute paths.

 If an attacker could trick a Python application into using a partial UNC path, the application might mistakenly assume it's a valid absolute path and try to access it, thereby exposing sensitive information, such as NTLMv2 hashes, which are used for authentication. Python’s security team is aware of this minor but still potentially useable bug but “they did not see a reason for further follow up” said Horizon3.ai in its blog. 

The trio of bugs are potentially troubling because even if the vulnerable application is not directly exposed to the Internet, “it’s possible to exploit it indirectly through SSRF or XXE vulnerabilities affecting other perimeter assets” emphasised Horizon3.ai; possible “because the vulnerabilities disclosed in this post are all exploitable with simple GET requests.”

See also: Met Police to replace “clunky” £430m ERP - as 50 integrations, rampant "off-system data processing" ring alarms

Latest