HFTTF Girişim Zirvesi

Son Haberler

İzmir Bilişim Zirvesi 2015’e Katıldık
ODTÜ Android Geliştirici Günlerine Katıldık
kiralık bahis sitesi fiyatları
bahis sitesi kiralama
THE 7 MOST ESSENTIAL SECURITY AWARENESS TRAINING TOPICS FOR 2021
Oltalama Saldırıları Şirketler İçin Ne Anlama Geliyor?
Websitenizin Güvende Olduğundan Nasıl Emin Olabilirsiniz?
WHAT SHOULD YOU DO IF YOU ARE A VICTIM OF A PHISHING ATTACK?
WHAT TO DO IF YOU RECEIVE A PHISHING EMAIL?
Etkili Oltalama Eğitimi İçin Gerekli Adımlar
Önemli Oltalama Türleri ve Tespit Yöntemleri
EMAIL SECURITY SOLUTIONS
Fidye Yazılımı ve Oltalama 2021’de de Artışta Olacak
E-posta Güvenlik Yazılımı Seçerken Nelere Bakılmalı?
Şu an buradasınız: Ana Sayfa / Genel / READING AN EMAIL IN MICROSOFT OUTLOOK IS CAUSING YOUR SENSITIVE INFORMATION TO LEAK
Genel

READING AN EMAIL IN MICROSOFT OUTLOOK IS CAUSING YOUR SENSITIVE INFORMATION TO LEAK

24 Ocak 2021 By 0 2

A vulnerability, discovered by Will Dormann, a vulnerability analyst at the CERT Coordination Center (CERT/CC). This vulnerability (CVE-2018-0950) could allow cybercriminals to steal sensitive information, including users’ Windows login credentials, by convincing victims to preview an email with Microsoft Outlook, without requiring any additional user interaction. [1]

How did it happen?

When a Rich Text (RTF) email is previewed in Microsoft Outlook, remotely-hosted OLE content is retrieved without requiring any additional user interaction. This situation can leak private information including the user’s password hash, which may be cracked by an attacker. [2]

The case of Microsoft Outlook

Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on an SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO); this may leak the user’s IP address, domain name, username, hostname, and password hash. If the user’s password isn’t secure, a cybercriminal can crack the password in a short amount of time.[2]

Basics of OLE

OLE is a technology of Microsoft allows content from one program to be embedded into a document handled by another program released in 1990. For instance, in Windows 3.x Microsoft Write provides the ability to embed a “Paintbrush Picture” object, as well as a “Sound” or a “Package” which are the three available OLE objects that can be inserted into a Write document[3]

Microsoft Outlook is an email client that comes with Microsoft Office. Outlook includes the ability to send rich text (RTF) email messages which can consist of OLE objects in them. [3]

Microsoft outlook vulnerability

A remote, unauthenticated cybercriminal can obtain the victim’s IP address, domain name, username, hostname, and password hash, by merely convincing a user to preview an RTF email message with Microsoft Outlook.  This password hash may be cracked offline. This vulnerability may be combined with other weaknesses to modify the impact. [2]

A remote attacker can exploit this vulnerability by sending an RTF email to a target victim, containing a remotely-hosted image file (OLE object), loading from the attacker-controlled SMB1 server. Because Microsoft Outlook automatically renders OLE content, it will initiate an automatic authentication with the cybercriminal’s controlled remote server over SMB protocol using single sign-on (SSO), handing over the victim’s username and NTLMv2 hashed version of the password, potentially allowing the attacker to gain access to the victim’s system.[1]

An SMB connection is being automatically negotiated. Because Outlook is previewing an email that is sent to it. In picture 4, IP address, Domain name, Username, Hostname, SMB session key are leaked. “A remote OLE object in a rich text email messages functions like a web bug on steroids!” [3]

Why would any Windows PC automatically hand over credentials to the cybercriminal’s SMB server?

This is how authentication via the Server Message Block (SMB) protocol works in combination with the NTLM challenge/response authentication mechanism.

Microsoft Outlook Behavior

HTML email messages on the Internet are much more common than rich text email, so first look at the behaviour of Microsoft Outlook when viewing an HTML message that has a remote image on a web server [3]

It can be seen that the remote image is not loaded automatically,  because if Outlook has allowed remote images to load automatically, it can leak the client system’s IP address and other metadata such as the time that an email is viewed. This restriction helps to protect against a web bug being used in email messages. However when we try the same sort of message, except in rich text format; and rather than a remote image file, it’s an OLE document that is loaded from a remote SMB server [3]

Outlook blocks remote web content due to the privacy risk of web bugs; however, with a rich text email, the OLE object is loaded with no user interaction.

Solutions [2]

Apply and update

This vulnerability is addressed in the Microsoft update for CVE-2018-0950. This update prevents Outlook from automatically initiating SMB connections when an RTF email is previewed. Note that other techniques requiring additional user interaction will still function after this patch is installed. For example, if an email contains a UNC link, like \\attacker\foo, Outlook will automatically make this link clickable. If a user clicks such a link, the impact will be the same as with this vulnerability. For this reason, please also consider the following workarounds.

Block inbound and outbound SMB connections at your network border

This can be accomplished by blocking ports 445/tcp, 137/tcp, 139/tcp, as well as 137/udp and 139/udp.

Block NTLM Single Sign-on (SSO) authentication

Block NTLM Single Sign-on (SSO) authentication, as specified in Microsoft Security Advisory ADV170014. Starting with Windows 10 and Server 2016, if the EnterpriseAccountSSO registry value is created and set to 0, SSO authentication will be disabled for external and unspecified network resources. With this registry change, accessing SMB resources is still allowed, but external and unspecified SMB resources will require the user to enter credentials as opposed to automatically attempting to use the hash of the currently logged-on user.

Use strong passwords

Assume that at some point your client system will attempt to make an SMB connection to an attacker’s server. For this reason, make sure that any Windows login has a sufficiently complex password so that it is resistant to cracking. The following two strategies can help achieve this goal:

  • Use a password manager to help generate complex random passwords. This strategy can help ensure the use of unique passwords across resources that you use, and it can ensure that the passwords are of sufficient complexity and randomness.
  • Use longer passphrases (with mixed-case letters, numbers and symbols) instead of passwords. This strategy can produce significant credentials that do not require additional software to store and retrieve.

References

[1] https://thehackernews.com/2018/04/outlook-smb-vulnerability.html

[2] https://www.kb.cert.org/vuls/id/974272

[3] https://insights.sei.cmu.edu/cert/2018/04/automatically-stealing-password-hashes-with-microsoft-outlook-and-ole.html

“This post is originally published at www.keepnetlabs.com”

RSS Teknoloji Haberleri