-
Adversary Simulation
Our best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your organisation’s cyber resilience.
-
Application
SecurityLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.
-
Penetration
TestingMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to global financial institutions.
-
Response
Our certified team work with customers at all stages of the Incident Response lifecycle through our range of proactive and reactive services.
Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability
Date: 14th March 2023
Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook. The vulnerability is described as follows:
Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user.
However, no specific details were provided on how to exploit the vulnerability.
At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis.
While no particular details were provided, Microsoft did provide a script to audit your Exchange server for mail items that might be being used to exploit the issue.
Review of the audit script reveals it is specifically looking for the PidLidReminderFileParameter property inside the mail items and offers the option to “clean” it if found:
Diving in to what this property is, we find the following definition:
This property controls what filename should be played by the Outlook client when the reminder for the mail item is triggered. This is of course particularly interesting as it implies that the property accepts a filename, which of could potentially be a UNC path in order to trigger the NTLM authentication.
Following further analysis of the available properties, we also note the PidLidReminderOverride property which is described as follows:
With this in mind, we should likely set the PidLidReminderOverride property in order to trigger Outlook to parse our malicious UNC inside PidLidReminderFileParameter.
Let’s begin to build an exploit….
The first step to exploit this issue is to create an Outlook MSG file; these files are compound files in CFB format. To speed up the generation of these files, I leveraged the .NET MsgKit library.
Reviewing the MsgKit library, we find that the Appointment class defines a number of properties to add to the mail item before the MSG file is saved:
To create our malicious calendar appointment, I extended the Appointment class to add our required PidLidReminderOverride and PidLidReminderFileParameter properties, as shown above.
From that point, we simply need to create a new appointment and save it, before sending to our victim:
This vulnerability is particularly interesting as it will trigger NTLM authentication to an IP address (i.e. a system outside of the Trusted Intranet Zone or Trusted Sites) and this occurs immediately on opening the e-mail, irrespective of whether the user has selected the option to load remote images or not.
This one is worth patching as a priority as its incredibly easy to exploit and will no doubt be adopted by adversaries fast.
Here’s a demonstration of our exploit which will relay the incoming request to LDAP to obtain a shadow credential:
This blog post was written by Dominic Chell.
