Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords

30.01.2024

A recently patched security vulnerability in Microsoft Outlook posed a potential threat as it could be exploited by malicious actors to gain access to NT LAN Manager (NTLM) v2 hashed passwords when users opened a specially crafted file.

Identified as CVE-2023-35636 with a CVSS score of 6.5, Microsoft addressed this issue in its December 2023 Patch Tuesday updates. According to the tech giant’s advisory released last month, in an email attack scenario, an attacker might exploit the vulnerability by sending a specially crafted file to the user and convincing them to open it. In a web-based attack scenario, the attacker could host a website containing the malicious file or leverage a compromised website for the same purpose.

In simpler terms, the attacker would need to persuade users to click a link, embedded in a phishing email or sent via an instant message, and then deceive them into opening the specified file.

The root of CVE-2023-35636 lies in the calendar-sharing function of the Outlook email application. A malicious email is created by inserting two headers, namely “Content-Class” and “x-sharing-config-url,” with crafted values to expose a victim’s NTLM hash during authentication.

Dolev Taler, the Varonis security researcher credited with discovering and reporting the bug, highlighted that NTLM hashes could be leaked by exploiting Windows Performance Analyzer (WPA) and Windows File Explorer. However, these two attack methods remain unpatched.

Taler emphasized the uniqueness of the situation, pointing out that WPA attempts to authenticate using NTLM v2 over the open web. Typically, NTLM v2 should be used for authenticating against internal IP-address-based services. However, when the NTLM v2 hash passes through the open internet, it becomes vulnerable to relay and offline brute-force attacks.

This disclosure follows Check Point’s revelation of a “forced authentication” case that could be weaponized to leak a Windows user’s NTLM tokens by tricking them into opening a rogue Microsoft Access file.

Microsoft had previously announced plans in October 2023 to discontinue NTLM in Windows 11 in favor of Kerberos for enhanced security. The decision was influenced by NTLM’s lack of support for cryptographic methods and susceptibility to relay attacks.