Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture
Haifei Li - Checkpoint ResearchPosted 2 Years Ago- Outlook is the most popular email client in the world with all of the other Microsoft Office Suite of products being equally important. Finding vulnerabilities in this can have devastating consequences.
- Everyone knows what URLs are - http, https, etc.. However, there are many other URLs for other apps, such as Skype. The
file://URL can be used to reference local files on the system. By default, this is blocked from execution on Word when clicked on. - Some researchers found a weird bypass for this check. If the path has an exclamation point then some text afterwards then the check is bypassed. For example -
file:///\\10.10.111.111\test\test.rtf!something. The exclamation point has some special meaning in Outlook that changes the meaning of the parsing from a file to a Moniker to try to find COM objects. - What's the impact of this? First, a request to a file at a remote location would leak the NTLM hash. Second, since this tries to parse the item as a COM object, it may be possible to escalate this to RCE. However, there is no real example of this and it feels like scare tactic.
- A fairly simple mishap on the parsing of the URL. When deep knowledge of a system comes obvious bugs.
