SMB hash hijacking & user tracking in MS Outlook

Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally, or to receive a notification when an email had been viewed by a victim.

This issue was partially patched in July 2017 (CVE-2017-8572). According to the Microsoft Security Response Center (MSRC), CVE-2017-11927 that was released in December 2017 had also patched a number of payloads. This patch was updated in May 2018 to address the remaining issues that were mentioned in this report.

The GitHub project is accessible at https://github.com/nccgroup/OutlookLeakTest.

PDF version of the blog post published by NCC Group can be downloaded from:

https://soroush.secproject.com/downloadable/outlook_smb_hash_hijacking.pdf

The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook/