Skip to navigation Skip to main content Skip to footer

Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook

Vendor: Microsoft

Vendor URL: https://www.microsoft.com/

Systems Affected: Microsoft Outlook

Author: Soroush Dalili

CVE Identifiers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8572, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11927

Risk: Medium – Possible SMB Hash Hijacking or User Tracking

Summary

Microsoft Outlook could be abused to send SMB handshakes externally after a victim opening or simply viewing an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally, or to receive a notification when an email had been viewed by a victim.

This issue was exploited using Outlook default settings that blocked loading external resources such as image files.

Location

Emails that are received in Outlook can contain malicious HTML contents.

Impact

Attackers could obtain victims’ SMB hash to crack their password when the SMB hash was allowed to be sent externally (default setting). Alternatively, active email addresses could be enumerated as notification could be sent to attackers without victims’ consent when an email was viewed.

Details

A number of URI schemes and URI patterns were identified that could be used in a number of HTML tags to bypass restrictions of Outlook default settings that blocked the “” pattern URLs and loading external resources such as image files.

The following blog post include the details of the identified payloads:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook/

Recommendation

Apply patches for CVE-2017-8572 (July 2017) and CVE-2017-11927 (May 2018).

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.

Written by:  Soroush Dalili