Security researchers have shared technical details for exploiting a critical vulnerability in Microsoft Outlook for Windows (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email.

Microsoft released a patch for the security flaw yesterday, but it has been exploited as a zero-day vulnerability in NTLM relay attacks since at least mid-April 2022.

The issue is a privilege escalation vulnerability with a severity rating of 9.8 that affects all versions of Microsoft Outlook on Windows.

An attacker can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is required as the exploit occurs when Outlook is opened and the callback is triggered on the system.

Easy operation

Windows New Technology LAN Manager (NTLM) is an authentication method used to connect to Windows domains using hashed login credentials.

Although NTLM authentication has known risks, it is still used on new systems for compatibility with older systems.

It works with password hashes that the server receives from a client when it attempts to access a shared resource, such as SMB shares. If stolen, these hashes can be used to authenticate to the network.

Microsoft explained that an attacker can use CVE-2023-23397 to obtain NTLM hashes by sending “a message with an Extended MAPI property with a UNC path to an SMB share (TCP 445) on a server controlled by a malicious actor.

“Connecting to the remote SMB server sends the user’s NTLM handshake message, which the attacker can then relay to authenticate to other systems that support NTLM authentication” – Microsoft

However, exploiting the issue requires more technical details, which came shortly after Microsoft released the patch from researchers at security consulting firm MDSec.

After examining a script from Microsoft checking Exchange mail items for signs of exploitation using MDSec Red Team member CVE-2023-23397 Dominique Chell discovered how easily a malicious actor could exploit the bug.

He discovered that the script could search for the “PidLidReminderFileParameterPidLidReminderFileParameter” inside received mail items and delete it when present.

Chell explains that this property allows the sender to set the filename that the Outlook client should read when the message recall is triggered.

Why this was possible remains an enigma that the researcher could not explain since the sender of an email should not be able to configure the new message alert sound on the recipient’s system.

Outlook allows email senders to set the sound to play on the email recipient's system

Chell noted that if the property accepted a filename, it should also be possible to add a UNC path to trigger NTLM authentication.

The researcher also found that the PidLidReminderOverride The property could be used to make Microsoft Outlook parse a malicious remote UNC path in the PidLidReminderFileParameter property.

This information allowed the researcher to craft a malicious Outlook email (.MSG) with a calendar appointment that would trigger the vulnerability and send the target’s NTLM hashes to an arbitrary server.

These stolen NTLM hashes can then be used to perform NTLM relay attacks for deeper access to corporate networks.

Malicious Calendar Appointment in Microsoft Outlook
Steal NTLM hashes via malicious calendar appointment in Microsoft Outlook
source: MDSec

Besides calendar appointments, an attacker could also use Microsoft Outlook tasks, notes, or emails to steal hashes.

Chell notes that CVE-2023-23397 can be used to trigger authentication to an IP address that is outside the trusted intranet zone or trusted sites.

MDSec has shared a video that demonstrates how the recently patched critical vulnerability in Microsoft Outlook can be exploited:

Zero-day for Russian hackers

The vulnerability was discovered and reported to Microsoft by the Ukrainian Computer Emergency Response Team (CERT-UA), likely after seeing it used in attacks targeting its services.

According to Microsoft, “a Russian-based threat actor” exploited the vulnerability in targeted attacks against several European organizations in the government, transportation, energy and military sectors.

The hacking group behind the attacks is believed to be APT28 (aka Strontium, Fancy Bear, Sednit, Sofacy), a threat actor that has been linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Up to 15 organizations are believed to have been targeted or breached using CVE-2023-23397, the latest attack occurring last December.

After gaining access, hackers often use the open source frameworks Impacket and PowerShell Empire to expand their hold and move to more valuable systems on the network to gather information.

Administrators are strongly advised to prioritize CVE-2023-23397 and use Microsoft’s script to check for signs of exploitation by checking if mail items in Exchange come with a UNC path.

Source link