Tales of a Threat Hunter 1 Detecting Mimikatz other Suspicious LSASS Access Part 1 Posted on September 9, 2017. A year ago, mubix published a cool post on http about Dumping a domains worth of passwords with mimikatz. In the article. Linus Torvalds sorry for swearing, blames popularity of Linux itself As Google clamps down, Droid developer warns breaking day is coming SagePays monster wobble. Fake Crypto Microsoft Outlook SMIME Cleartext Disclosure CVE 2. We discovered a vulnerability in Outlooks SMIME functionality. The short version If you used Outlooks SMIME encryption in the past 6 months at least your mails might not have been encrypted as expected. In the context of encryption this can be considered a worst case bug. This has been a rather unusual vulnerability discovery. Unlike other cases we kind of stumbled upon the first indications of this vulnerability by pure coincidence we did not search for Outlook vulnerabilities. D0%9A%D0%B0%D0%BA-%D1%83%D0%B4%D0%B0%D0%BB%D0%B8%D1%82%D1%8C-%D0%B2%D0%B8%D1%80%D1%83%D1%81%D1%8B-%D1%81-%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80%D0%B0-720x340.jpg]];var lpix_1=pix_1.length;var p1_0= [[600' alt='Mimikatz 2017' title='Mimikatz 2017' />We knew something was seriously wrong when we noticed that the contents of SMIME encrypted mails were shown in Outlook Web Access OWA. The Basics SMIMESMIME is an IETF standard for end to end encryption and signing of mails. Most popular mail clients, including Microsoft Outlook, Mozilla Thunderbird, Apple Mail, and the Mail Clients on Apple i. OS and Samsung Knox devices, support SMIME. Along with similar technologies like PGPGPG, it is used by securityprivacy conscious individuals and organizations to protect the mail communication. To use SMIME the mail client has to be configured, this includes installing a personal certificate and exchanging certificates with communication partners. In an environment where mail servers or network hops between sender and recipient are compromised, SMIME will still protect the mails body against unauthorized access confidentiality and manipulation integrity, authenticity. The Vulnerability. There is a bug in Outlook that causes SMIME encrypted mails to be send in encrypted and unencrypted form within one single mail to your mail server and the recipients mail server and client and any intermediate mail servers. The impact is that a supposedly SMIME encrypted mail can be read without the private keys of the recipient. This results in total loss of security properties provided by SMIME encryption. In the senders Sent Items folder, there is no indication of the problem whatsoever. The message is displayed in Outlook as if it was properly encrypted. To trigger the vulnerability, no active involvement by an attacker is required. Poetry Blog Templates. An attacker might remain completely passive. Note This vulnerability affects mails where Outlook is used as the sender and has no impact on incoming SMIME encrypted mails where Outlook acts as the recipient. This is about mail body SMIME encryption not transport level security TLS. Affected Mails and Scope. We observed this vulnerability only triggers with mails that are formatted in Plain Text. Microsoft confirmed this observation. Speaking about Plain Text formatting in the context of encryption might be confusing, the screenshots below will clarify it. Outlook formats mails in Plain Text by default when replying to Plain Text formatted mails. When composing a new mail HTML is the default format unless the default has been changed. We did not observe any negative impact on attachments, Microsoft shares this observation. The scope of this vulnerability differs depending on the used transport protocol a Outlook with Exchange impact limited to first hopThe plaintext leaks one hop only to the senders MTA and to the recipients mailbox if the recipient and sender are in the same domain. When sending mails to external recipients Exchange seems to remove the plaintext part from the message. Outlook using SMTP impact on the entire mail pathThe plaintext leaks to all mailservers along the path and the recipient. We do not have information regarding how the vulnerability manifests in Office 3. Outlook. com, etc. Example walk through Alice and Bob. Alice replies to Bobs mail. Note that the Encrypt and Sign SMIME options are selected If Alice would switch to the Format Text tab she would see that the Plain Text format is pre selected because Bobs mail was Plain Text formatted When Alice checks her Sent Items folder to confirm that she actually encrypted the mail she just sent, the mail shows the encrypted and signed icons no indications of any problem with SMIME This is where the attacker comes in An attacker who can access Bobs mailbox through Outlook Web Access OWA can see the contents of the message in OWAs message preview, although heshe does not have Bobs private SMIME key Please note, this is not an OWA vulnerability OWA should not be able to see and display the data in the first place. OWA just happens to interpret and show the unencrypted part of a mail in the message preview. In our environment Outlook Web Access shows the first 2. MTA gets to see the entire message. For reference, below is how an SMIME encrypted mail is supposed to look like in OWA note the No preview is available. This is an example of an HTML formatted and SMIME encrypted mail Bob does not use OWA he uses IMAP to fetch mails from the server and he only gets the encrypted part of the message and can not detect the problem either. When fetching the mail via IMAP, only the encrypted part of the message is returned. When sending mails to external recipients Exchange seems to remove the plaintext part from the message If Alice sends another mail via SMTP, the IMAP server returns an mail that contains both the encrypted and unencrypted part of the message. Below is how an affected mail looks like when fetched via IMAP. SECRET is the first and only line in the mails body Possible Exploitation Vectors examplesIn the case of Outlook via Exchange a Attacker has access to the network traffic between Outlook and Exchange server and no TLS is used or arbitrary certificates are accepted by the MUA. Attacker has access to the Exchange server of the sender e. Attacker has access to the senders or recipients mailbox if the recipient is on the same domain. In the case of Outlook via SMTP b Attacker has access to the network traffic at any point along the mails path through the network and no transport level encryption is used. Attacker has access to an MTA along the path. Attacker has access to the senders or recipients mailbox. Affected Outlook Versions. We observed the first affected mail on May 2nd 2. It is also important to note that even if you or your organization is not using Outlook at all you might be affected if someone is sending you SMIME encrypted mails using Outlook. Fixed Version. The following Outlook Version fix this vulnerability CVE 2. Deferred Channel Version 1. Build 8. 20. 1. 2. Monthly Channel Version 1. Build 8. 43. 1. 2. The much harder problem is to determine the actual impact and remediate the legacy of affected mails containing confidential data. Remediation of affected mails. Microsoft does not release detailed affected version information to avoid giving clear directions that could make it easier for those interested in conducting nefarious activity. Unfortunately there is no easy solution to remediate the impact of this vulnerability we are still waiting for Microsoft to release detailed information and update the blog. In cases where mails have been send to third parties recipient is outside of the senders organization remediation is not possible by the sending party, since the sender has no authority over the recipients mail infrastructure. It is the responsibility of the vendor Microsoft to provide guidance to remediate the risk of unintentionally unencrypted past mails. Note During publishing of this advisory we noticed a user called RSec R.