Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords

By neub9
2 Min Read

Jan 29, 2024


Vulnerability / NTML Security

A security flaw in Microsoft Outlook that allowed threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file has been patched.

The flaw, identified as CVE-2023-35636 with a CVSS score of 6.5, was fixed by Microsoft in its December 2023 Patch Tuesday updates.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft said in an advisory released last month.

In a web-based attack scenario, an attacker could host a website containing a specially crafted file designed to exploit the vulnerability.”

To exploit the vulnerability, the adversary would have to convince users to click a link and then deceive them into opening the file in question.

CVE-2023-35636 is rooted in the calendar-sharing function in the Outlook email application, inserting two headers “Content-Class” and “x-sharing-config-url” with crafted values to expose a victim’s NTLM hash during authentication.

Security researcher Dolev Taler credited with discovering and reporting the bug mentioned that NTLM hashes could be leaked by leveraging Windows Performance Analyzer (WPA) and Windows File Explorer. These two attack methods, however, remain unpatched.

“What makes this interesting is that WPA attempts to authenticate using NTLM v2 over the open web,” Taler said.

Check Point revealed a case of “forced authentication” that could be weaponized to leak a Windows user’s NTLM tokens by tricking a victim into opening a rogue Microsoft Access file.

In October 2023, Microsoft announced plans to discontinue NTLM in Windows 11 in favor of Kerberos for improved security due to its susceptibility to relay attacks.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *