Disclosure of authentication data via SMB by manipulated e-mails

OLE

By embedding OLE objects via RTF in e-mails, SMB connections are automatically present. Authentication data of the recipient can be read out via the SMB connection.

 

Researchers at CERT at Carnegie Mellon University have recently found out [1] how to illegally read the recipient's authentication data by e-mail. They have created an e-mail in Rich Text Format (RTF) in which an OLE object (Object Linking and Embedding) is linked. OLE is used to create a more complex document from OLE-enabled application content.

The possibilities for links within OLE are extensive and can also be located on other network devices, such as on a remote SMB server (Server Message Block). SMB is used to share files and folders on the network (primarily on Microsoft Windows systems) and access them from other systems.

As the researchers found out, further information is automatically transmitted to the server via SMB when OLE is integrated. In the specific case these consisted not only of the internal IP address and the host and domain names but also of the registered user names and the SMB session key. Within this the password is not in plain text but as NTLMv2 hash (NT LAN Manager). There are various tools for this type of hash to hack passwords from a few minutes to years, depending on the complexity of the password.

Previously, the e-mail client Microsoft Outlook automatically loaded linked OLE objects. According to the researchers, this also happened without the user explicitly clicking on the manipulated e-mail in order to be able to generate an automatic preview. The researchers were even able to exploit another vulnerability in the SMB client and crash the Windows system.

Meanwhile Microsoft has fixed the automatic OLE display in Outlook with a patch (CVE-2018-0950 [2], 04/10/2018). Users of Microsoft Outlook are strongly advised to install this update immediately and use a secure password in general. Access via external SMB (both incoming and outgoing) should be critically questioned at all times. If the user clicks on a (possibly hidden) SMB link, a connection is still established.

Affected Systems:

  • Users of Microsoft Outlook at least in version 2007 to 2016

Recommendation:

Users of Microsoft Outlook should pay more attention to unusual e-mails in the next time and install the patch CVE-2018-0950 offered by Microsoft urgently in order to avoid the automatic disclosure of authentication data. In addition, links in e-mails should be carefully verified before they are clicked on. Furthermore, very secure passwords should be used.

Depending on the company, the NTLM Single Sign-on (SSO) can also be blocked for external resources, as described in Microsoft Security Advisory ADV170014 [3].

Access from internal systems to SMB shares from the Internet should not occur without good reason and should be forbidden in principle. If these are necessary, access to the Internet via the SMB protocol in the firewall should be blocked, at least until the security patches are available and installed.

Detection with the finally safe Advanced Security Analytics Platform:

Users can use the solution to verify whether their systems are being accessed using the SMB protocol or have been accessed in the past, or whether they are or have recently been the target of a spam/phishing wave. This information depends on the modules used:

  • Real-time monitoring has already warned you live about possible spam or phishing waves, which increasingly contained questionable file attachments.
  • If you have subscribed to the management report, we have already analyzed and listed possible accesses to your IT systems via the SMB protocol.
  • If you receive a technical report every week, the SMB accesses can be found in the connection overview.
  • If you have activated the Network Compliance Verifier, you can locate the SMB accesses in the web portal and directly identify the affected IP addresses of your clients.
  • In the Expert System, you can use well-known SMB ports to see whether you have such network traffic.

Sources / further Information:

 

Go back