Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use the CVE-2018-0950 loophole to automatically steal Windows passwords. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

0x01 object connection and embedding (OLE)

OLE is a technology released by Microsoft in 1990 that allows content from one program to be embedded in documents processed by another. For example, in Windows 3.x, Microsoft Write provides the ability to embed "brush picture" objects as well as "sounds" or "packages". These are three available OLE objects that can be inserted into an Write document:

Once inserted, we have a document with the contents of the brush embedded.

0x02 Server message Block Protocol (SMB)

SMB is a protocol that extends DOS API (21h interruption) for local file access to include network functionality. That is, the operator can access the files on the remote server as if they were on the local drive. Microsoft included SMB in Windows for Workgroups3.1, which was released in 1992.

2.1 Microsoft Outlook

Microsoft Outlook is an email client that ships with Microsoft Office. Outlook includes the ability to send rich text (RTF) emails. These messages can contain OLE objects.

When using the Microsoft Outlook client to view e-mail, rich text e-mail will present the message content in a cooler way.

Summary of the aforementioned contents of 0x03

You may already know what I think. If it is still not clear, let's summarize what we have learned so far:

1.Microsoft Outlook can create and render RTF e-mail messages.

2.RTF documents, including e-mail messages, can contain OLE objects.

3. Because the SMB,OLE object can be located on a remote server.

3.1Observatory Microsoft Outlook behavior

HTML e-mail is more common on the Internet than rich-text e-mail, so let's first look at the behavior of Microsoft Outlook in HTML messages with remote images on the Web server:

Here we can see that the remote image is not automatically loaded. Why did this happen? The reason is that if Outlook allows remote images to load automatically, it may disclose the client system's IP address and other metadata, such as when to view email. This restriction helps prevent network errors used in e-mail messages. Now let's look at the same content in rich text format, which is now not a remote image file, but an OLE document loaded from a remote SMB server:

This phenomenon is unexpected. Outlook blocks remote Web content because of the privacy risk of network errors. However, if you use rich text e-mail, the OLE object will be loaded without user interaction. Let's take a look at the traffic in Wireshark (network packet analysis software) to figure out what is leaked due to this automatic remote object loading:

Here we can see that SMB connections are being autonegotiated. The only action that triggers this negotiation is that Outlook previews the e-mail sent to it. In the screenshot above, I can see that the following is being leaked:

1. IP address

2. Domain name

3. User name

4. Hostname

5. SMB session key

A remote OLE object in a rich text email acts like a stimulant in a network error. In my analysis at the end of 2016, I informed Microsoft of the problem.

The influence of 0x04 OLE Network error

This error will lead to two major problems, as described below:

4.1 client crash

We know that at this point, we can initiate a SMB connection to any host from Outlook. On February 1st, 2017, the Windows SMB client vulnerability (VU#867968) was disclosed. Windows crashes when connecting to a malicious SMB server. What if we create a rich text email in Outlook but point to the SMB server that exploits this vulnerability?

As mentioned above, once Outlook previews such an email, Windows crashes and a blue screen crashes (blue screen). In addition, every time you encounter this situation, Outlook starts and Windows crashes again, because Outlook remembers the last open email. This is equivalent to a denial of service attack. At this point, I shared the details of the attack with Microsoft. In the end, Microsoft solved this SMB vulnerability, and fortunately, we haven't heard of any large-scale email attacks based on mail.

4.2 collect password hash values

In addition to the vulnerabilities in SMB, I decided to dig deeper into the risk that the client would attempt to launch a SMB connection to the attacker's server. From what I saw in Wireshark, I already know that it leaks more than just the victim's IP address. This time I used both Responder (response system) and John the Ripper (Fast password cracking tool).

First, I sent a rich text email with a remote OLE object pointing to the system running the responder. On the response system, I saw the following immediately after previewing the email in Outlook:

[SMB] NTLMv2-SSP Client: 192.168.153.136[ / size]

[size=3] [SMB] NTLMv2-SSP Username: DESKTOP-V26GAHF\ test_ user [/ size]

[size=3] [SMB] NTLMv2-SSP Hash: test_user::DESKTOP-V26GAHF:1122334455667788:571EE693342B161C50A73D502EB49B5A:010100000000000046E1992B4BB2D301FFADACA3241B6E090000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D004200310032000800300030000000000000000100000000200000D3BDB30B62A8937256327776471E072C7C6DE9F4F98458D1FEA17CBBB6AFBA770A001000000000000000000000000000000000000900280063006900660073002F003100390032002E003100360038002E003100350033002E003100330038000000000000000000

Here we have a NTLMv2 hash that we can give to John the Ripper (Quick password cracking tool). As shown below, I copy and paste the hash into a file named test_user.john:

John test_ user.john[ / size]

[size=3] Using default input encoding: UTF- 8[ / size]

[size=3] Loaded 1 password hash (netntlmv2, NTLMv2 C amp R [MD4 HMAC-MD5 32 + 64]) [/ size]

[size=3] Will run 24 OpenMP threads[ / size]

[size=3] Press'Q'or Ctrl-C to abort, almost any other key for status [/ size]

[size=3] test (test_user) [/ size]

[size=3] Session completed

In less than a second, I can determine that the password of the user "test_user" who opened my rich text email is "test". Hashes of stronger passwords (longer and more types of characters) take longer to crack. I have done some basic tests on how long it will take to crack the entire solution space for an 8-character password on a single mid-range GPU (NVIDIA GTX 960):

1. Lowercase letters-16 minutes

2. mixed uppercase and lowercase letters-3 days

3. Mix uppercase and lowercase letters and numbers-12 days

4. Mix uppercase and lowercase letters, numbers and symbols-1 year

The above statistics are the worst case of brute force cracking randomly generated passwords. Passwords for any text (such as "test") or patterns (such as "asdf") are easier to crack than randomly generated passwords, because most cracking tools have rules to check these things.

In addition, attackers can access systems with multiple high-end GPU, which can reduce their time to a fraction of the above number. However, each character added to the password length has an exponential effect on the time it takes to break the password violently. For example, although it takes a year for my midrange GPU to use up the entire solution space for an 8-character password (a mix of uppercase and lowercase letters, numbers, and symbols), increasing the password length to 9 characters also takes time, and it will take 84 years to get the full solution space!

0x05 Microsoft repair

Microsoft has released a fix for Outlook's automatic loading of remote OLE content (CVE-2018-0950). Once this fix is installed, the previewed email will no longer automatically connect to the remote SMB server. This fix helps prevent the attacks listed above. But it's important to realize that even with this patch, users can still be victims of these types of attacks with a single click. For example, if an e-mail message has a UNC-style link that starts with "\", clicking this link initiates an SMB connection to the specified server.

Additional details can be found in the CERT vulnerability note VU#974272.

Conclusions and recommendations of 0x06

On the Windows platform, there are several ways for a client to initiate an SMB connection. Any time the SMB connection starts, the client's IP address, domain name, user name, hostname and password hash may be leaked. To prevent attacks that cause the victim's machine to initiate a SMB connection, consider the following mitigation measures:

Install Microsoft update CVE-2018-0950. This update prevents automatic retrieval of remote OLE objects in Microsoft Outlook when previewing rich text e-mail messages. However, if the user clicks the SMB link, this behavior will still cause the password hash to leak.

Block inbound and outbound SMB connections at the boundaries of your network. This can be done by blocking port 445 cusp, TCP, 137, UDP, and 137/udp and 139/udp.

Block NTLM single sign-on (SSO) authentication as specified in Microsoft Security Bulletin ADV170014. Starting with Windows10 and Server2016, if you create an EnterpriseAccountSSO registry value and set it to 0, SSO authentication for external and unspecified network resources is disabled. With this registry change, access to SMB resources is still allowed, but external and unspecified SMB resources will require the user to enter credentials instead of automatically attempting to use the hash of the currently logged-in user.

Suppose your client system attempts to establish a SMB connection to the attacker's server at some point. Therefore, make sure that any Windows login has a password complex enough to prevent cracking. The following two strategies can help achieve this goal:

1. Use the password Manager to help generate complex random passwords this policy helps ensure that unique passwords are used across the resources used and that the passwords are sufficiently complex and random.

two。 Use longer passwords (using a mix of uppercase and lowercase letters, numbers, and symbols) rather than passwords. This strategy produces unforgettable credentials and does not require additional software to store and retrieve.

On how to use CVE-2018-0950 vulnerability to automatically steal Windows password to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.