Stealing of hash password to Windows and incomplete patching in Microsoft Outlook

Apparently, Microsoft believes that it did everything it needed to secure the most popular email client in the world, the Microsoft Outlook application. Reported 18 months ago the gap by Willa Dormanna from the American CERT Coordination Center has only been partially patched. As the expert explains, in the last Patch Tuesday update (Microsoft's second Tuesday of each month) Microsoft has not completely eliminated the problem that is related to vulnerability with the ID CVE-2018-0950 .

Initially, it was a very serious error in Microsoft Outlook. Exploit of the vulnerability revealed Windows login credentials when the victim received an RTF e-mail message containing OLE objects. Thus, it was enough to read the message via the Microsoft Outlook e-mail client - then the SMB connection was automatically initiated to the server controlled by the attacker. No user interaction was required.

The following screen shot shows that the remote image is not loaded. Interaction with the user is required. These are standard security features of MS Outlook that counteract the disclosure of the victim's true IP address and other metadata (this applies to regular TXT or HTML messages).

Microsoft Outlook gap

Will Dormann did the same experiment with the RTF message format and the OLE object that is loaded from the remote SMB / CIFS server:

Microsoft Outlook vulnerability 2

If the message is in RTF format, the Outlook mail client loads the OLE object without any interaction.

Saved traffic in the WireShark software reveals what you've really managed to get:

WireShark dump network traffic

Reading messages led to the theft of information about the IP address, domain name, username, hostname, automatic SMB session entry and NTLMv2 authentication password that failed on the GPU of nVidia 960 in 1 second (although it must be admitted that the password " test_user " is very easy to break).

This is not the only problem associated with CVE-2018-0950 . The user gets a free BSOD and falls into a loop - Outlook remembers the last open message, so every time you restart the system and attempt to open the e-mail client, the system hangs again.

BSOD Windows by error in Outlook

The vulnerability update CVE-2018-0950 released by Microsoft no longer allows automatic loading of OLE content from a remote server, but the attacker may still be bypassed by a social engineering attack that already requires a click on the URL to start connecting to the foreign SMB.

In the prepared guide it is recommended to block connections for 445/tcp, 137/tcp, 139/tcp, 137/udp i 139/udp , implement shared updates, disable NTLM Single Sign-on (SSO) and use complex passwords.

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.