CVE-2023-23397 Outlook Privilege Escalation Walkthrough
Вставка
- Опубліковано 16 бер 2023
- In this video, I'll be walking through the CVE-2023-23397 Outlook Escalation of Privilege exploit via a PoC. This exploit allows an attacker to obtain a victim's NTLM hash by exploiting a vulnerability in Microsoft Outlook's Appointment feature.
MDSec’s Dominic Chell looked into the recent Microsoft Office Outlook updates where Dominic found that there is a privilege escalation vulnerability within Outlook.
Via this vulnerability, a remote attacker can create a malicious Outlook Appointment Reminder which when triggered, will authenticate the victim to a remote SMB share via a UNC path to obtain the victim’s NTLM password hash.
MDSec's Original Article: www.mdsec.co.uk/2023/03/explo...
Ka7ana's PoC: github.com/ka7ana/CVE-2023-23...
Thanks for checking this video out. If you enjoyed, please consider liking and subscribing to the channel for more content like this! - Наука та технологія
Thanks for this - I appreciate the no frills explanation!
Of course! Thanks for the feedback Ronnie!
Hey, is it necessary to be on the same network? I mean what if I’ve private NAT ip using a cafeteria internet. Would that work?
What are the hashes that are retrived with this CVE for? Are they password hashes for the users to access the SMB? Im sorry if I'm asking a dumb question here, i just couldn't really gather what the hashes represent
Edit: I guess you get NTLM hashes representing the users AD password?
Hey, nice walk through! Glad you found the script useful (I'm ka7ana). Would be interested to know if you got round to trying it out on your colleagues and managed to grab their hashes too! :D
Oh cool! Great job with the script. I have not gotten a chance to do much else with it after making this but I'll let you know if I do!
I successfully received the local ntlm hash during local testing, but only once. When I tried to modify it and send it to the remote user, I did not receive the hash but only an IPC connection.
@@user-ud7ey4ld2s same as you! I cant replicate this more than once.
Thanks for the walk-through! can you please let me know whether Responder tool and the Attacker's SMB should be on the same machine in order for it to work? I'm getting the invite but I don't see the hashes.
Responder can be anywhere that is either accessible by the victim on the LAN or on the public Internet. If you have SMB outbound blocked then responder on the local network will still work as long as the victim can reach it. An easy way to test is open file explorer on the victim and in the address bar navigate to \\
@@machevalia Thanks, can you please share which Outlook version did you use during your test? I'm running Outlook for Office 365 (16.0.12527.22286) 32-bit and it doesn't seem to work. I checked that SMB outbound isn't blocked on the victim's machine and it can access the share I configured in the PS script.
Interesting, I am not sure without going fully into troubleshooting it. I know the patches version is 16.0.16130.20306+ so it looks like you should be good. May just have to play around with it some more. I haven't done much with it since the video but I had varying degrees of success with different versions of Outlook, network configurations, and each of the various PoCs. Its a finicky one.
@@machevalia Thanks! it was an environmental issue on my end. I managed to resolve this! Do you by chance know where the UNC path is stored in the .EML file? I couldn't find it which is truly interesting that this info doesn't show but can triggered regardless.
@@subtlER0X Can I ask what environmental issue you were having and what you did to resolve it? I seem to be having the same issue as you.
Hey thanks... good video. I'm just dipping my toes into security. When you say "dumping hashes" what exactly is going on there? What is happeneing? I understand its bad... but exactly how? Also, what is that responder application/server you were talking about do?
Hey Ryan, good question. Within a lot of Windows processes there is authentication occurring under the hood that a normal user is unaware of. Being extremely user-friendly Windows takes care of that for us. However, issues can arise when an attacker finds a way to take advantage of this automatic authentication which is what is occurring here. Essentially, Responder.py is a fake SMB share that, when a victim machine requests a resource like our fake appointment sound file via that UNC path we provide, obtains a victim's NTLM password hash. With that, and attacker could attempt to crack the victims password hash to recover their actual password, or they could even relay that NTLM hash in some cases to authenticate to another service as the victim user. I would recommend reading up on pass-the-hash attacks for more.
@@machevalia You rule. Thanks man.
The noise in the background is horrible man
$meeting.ReminderSoundFile = "\\" # Change to your SMB server
How should fill in here? I filled in my local ip, and started Responder on my machine, Outlook has a calendar reminder popup, but I did not receive the NTLM hash
Sounds like you need to make sure your "victim" running Outlook can access the IP address of the machine running responder. If you're using a virtual machine for Responder, check the NIC settings.