When Outlook processes the message, the attacker gets the user credentials and can use them to compromise the account. The appointment is already expired and its PidLidReminderFileParameter property points to a UNC path, which provokes Windows to send the user’s login name and their NTLM password hash (a technique used in other attacks like this example).
Essentially, an Outlook item can populate the PidLidReminderFileParameter property, described in Microsoft documentation as specifying “ the filename of the sound that a client should play when the reminder for that object becomes overdue.”Īn attacker can exploit the vulnerability by sending a specially-formatted appointment to a user.
Running the script in clean-up mode permanently removes the offending items.Ī good analysis of the Outlook vulnerability by MDSEC reveals details of what the script looks for and describes how the vulnerability works.
The audit mode of the script reports what it finds in a CSV file that administrators can check to decide which of the reported items to remove from mailboxes. Microsoft also issued a PowerShell script ( CVE-2023-23397.PS1) to run against on-premises and cloud servers to check if items contain a property that’s populated with a UNC path. The bottom line is that “ an attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.”
However, the problem is serious enough for Microsoft to issue a bunch of security updates covering everything from Microsoft 365 apps for enterprise (subscription-based Outlook) to Outlook 2013 SP1. The issue is also described in the EHLO blog under an “Awareness” heading. Patch Tuesday brought news of an Outlook Elevation of Privilege Vulnerability (CVE-2023-23397).
0 kommentar(er)
