Outlook NTLM-Leak Vulnerability: CVE-2023-23397

Disclaimer:

The Attack demonstrated here has been performed in a controlled sandboxed environment:

• The Victim here is using a Windows 10 machine [10.10.165.158]

• The Attacker here will be using a Kali Linux Machine [10.10.231.28]

• Both are connected over a common virtualized network.

Summary:

Microsoft released a patch for Outlook vulnerability CVE-2023-23397 on March 14th, 2023. This vulnerability has caught the attention of a hacking group linked to Russian military intelligence that is using it to target European organizations. CVE-2023-23397 allows threat actors to steal NTLM credentials of Microsoft Outlook users with minimal complexity or effort. This vulnerability can be exploited by sending an email to a target user but does not require that user to open the email.

Start of POC:

Vulnerability Explanation: The vulnerability involves abusing the meeting reminder notification sound feature, whereby the maliciously crafted meeting invite overwrites the default notification sound by replacing it with a custom WAV file located on the Attackers machine. This message contains a PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property, which needs to be configured to point to a Universal Naming Convention (UNC) path share on a server under the control of a threat actor (via Server message block (SMB)/transmission control protocol (TCP) port 445). This Universal Naming Convention (UNC) path forces an NTLM authentication from the victim to the attacker. The attacker sitting in between listening for the connection steals/captures the leaked NTLM hashes and then attempts to recover/break or replay/relay them to compromise the user credentials/user machine.

Impact: The exploit triggers automatically once the meeting invite lands in the victim’s inbox and the meeting reminder timer is triggered. The loss of personal data, corporate data, sensitive customer information and more are some of the harmful effects of such an attack.

Vulnerability Fix: To install the latest patch released by Microsoft on March 14th , 2023, which can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

If immediate patching is not an option for an organization, few mitigation steps can be applied to prevent such attacks to take place:

1. Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. However, this may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group.

2. Block outbound TCP 445 and 135 SMB ports traffic from your network. This prevents the sending of NTLM authentication messages to remote file shares.

3. The outbound connection to the Attacker’s machine to capture the hash can either be via SMB connection or via a webDAV connection. Disabling WebClient service can help avoid any sort of outbound WebDAV Connection.

4. Make sure SMB Server signing is enabled to prevent post-exploitation attacks like the NetNTLMv2 Relay/Pass-the-hash Attacks.

Severity: Critical

CVSS Score: 9.8

Below is a step-by-step demonstration on how the attack is constructed and executed to successfully compromise the victim machine, its diagrammatic illustrations along with some important detection techniques as well.

I. Starting a Listener on the Attacker Machine

To Start a listener on the Attacker Machine, we will utilize a tool named “Responder” - This tool is responsible for capturing and replying fake data back to user [here, victim] made NTLM Requests, SMB Requests, WPAD Requests etc . Essentially acting as an MITM tool and waiting for connections to come in.

//Command used

sudo responder –I ens5

Output Screenshot:

As we can see above the listener has started and is actively listening for connections.

II. Crafting a Malicious Appointment

Steps to Reproduce: Manually create an appointment and edit the path to the reminder's sound file to point to the attacker’s shared folder. Here, the changes are done in the Victim machine itself, but in a real scenario these would be done in an Attacker controlled Windows machine, and then emailed to the victim.

1. To create an appointment, you will first need to click on the calendar and then on the New Appointment button on the taskbar, as shown in the image below:

2. Next, we will set a reminder set in 0 minutes so that it triggers right after the victim receives it. We will also click on the Sound option to configure the reminder's sound file:

3. To set a custom file path for the WAV file as a reminder notification sound, the normal UNC path if overwritten is silently ignored by the outlook application and hence does not work.

So, for our exploit to work, we add a custom plugin to outlook called “OutlookSpy” - and use that to modify our WAV file path to a custom path specifying a bogus file on the Attackers smb share.

After setting the reminder timer to 0 seconds, from the toolbar, we can select “OutlookSpy” and click on “CurrentItem”

// Make sure to open “OutlookSpy” from within the Appointment tab itself.

As we can see above, the parameters associated with the appointment's reminder under the “Properties” tab. We want to set the ReminderSoundFile parameter to the UNC path that points to our Attacker’s machine and set both the ReminderOverrideDefault and ReminderPlaySound to TRUE.

// ReminderPlaySound: boolean value that indicates if a sound will be played with the reminder.

// ReminderOverrideDefault: boolean value that indicates the receiving Outlook client to play the sound pointed by ReminderSoundFile, instead of the default one.

// ReminderSoundFile: string with the path to the sound file to be used. For our exploit, this will point to a bogus shared folder in our Attacker Machine.

4. We can make the required changes by adding them via the “script” module, as shown below:

Make sure to click on “Run” for the new changes to take effect. You can go back to the “Properties” tab to confirm if the changes were done successfully.

5. Finally, save your appointment to add it to your calendar, making sure the reminder is set to 0 minutes and that the appointment matches the current time and date, as we want it to trigger immediately.

This same appointment is then saved and emailed to the victim, the time and date is set accordingly. Once the reminder timer triggers, the Attacker box on the other end receives the user’s NTLM hash.

If all went well, you should immediately see a reminder notification pop-up, as shown below:

III. Gaining the user NTLM Hash:

As soon as the reminder timer is triggered, we see in the listener that we receive the NTLM Hash of the user “Administrator”.

Diagrammatic illustration of the steps above:

IV. Possible Exploitation Scenarios:

1. Once we have a hash value, we can try to brute force and break the hash. If the password is not complex enough, the attacker can be successful in breaking the password and hence obtaining the user credentials.

2. Having a hash value does not mandate breaking it. Attackers can perform attacks like “Pass-the-hash", dumping out SAM and NTDS files with just the above hash obtained, creating golden/silver tickets if they get hold of a krbtgt account, kerberoasting, DCSync attack etc. These attacks can help the attackers leak more sensitive information which can aid them in finding their way in the network/machine.

3. Performing a Net-NTLMv2 Relay attack against the exchange server: The default authentication service for Exchange online is not affected by the Net-NTLMv2 Relay attack; however, if federated identity provider is used, the user/machine could be compromised.

The illustration above shows that the attacker attempted an NTLM-Relay Attack, and one other machine was successfully compromised while the attack on the other machine failed. Now, taking the second compromised machine, the attacker can further move forward and attempt the attack again using credentials/hashes dumped from this second machine.

Getting hold of a hash, that too of an administrator can be disastrous, even if the password is complex enough – the attacker can use the hash to its advantage and perform various other attacks which can help him get a foothold in the machine, escalate their way up and completely compromise the whole machine or even the whole network.

End Of POC.

The user username and hash compromised initially is thrown around to the machine that the compromised user owns and to other machines as well in the same network to see if the same user might have an account with the same credentials in other machines too. If yes, the same credentials are then used to enter/log in to the other machines.

Once a machine is compromised, the Attacker can then dump out hashes of other users too and perform the same attack to other set of machines in the same network and successfully compromise the machines on which these users also might have an account with the same credentials. Eventually taking over the whole network.

Detection Techniques:

1. To use the Microsoft provided PowerShell script to scan and audit the exchange servers for any sort of messaging items [mail, calendar or tasks] that has the PidLidReminderFileParameter property inserted with any sort of UNC Path. The script can be found here: https://github.com/microsoft/CSSExchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023- 23397.md

2. Snort 2 SIDs 61478-61479 and Snort3 SID 300464 can be used for detecting and blocking this vulnerability exploitation attempts.

3. YARA Rules for detecting such attack attempts can be found here: https://github.com/elceef/yara-rulz/blob/main/rules/Outlook_CVE_2023_23397.yara

4. Monitoring the DavSetCookie function from the process command line can be essential as it can help the security analysts keep an eye on the public IPs the machines are accessing. A generic and a few example formats for the process line can be seen below:

Generic format:

rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie [ip address or a domain name] http://[ip address or a domain name]/[path to the a file or a directory]

Example formats:

rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie 35.180.139.74 http://35.180.139.74/file/sound.wav

Rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie http://35.180.139.74/file/sound.wav

5. Leveraging the “Outbound NTLM traffic to remote servers” detection feature in the security options. We can enable the audit/block action of outbound NTLM authentication traffic which can help the security analysts monitor where the desktop and servers are sending their NTLM Hashes. An example screenshot of this is shown below: