Meeting Mayhem: Understanding the Outlook Appointment Vulnerability

Are you growing weary of those familiar Outlook appointment chimes? You might want to pay closer attention, as a newly discovered vulnerability could mean that your next reminder leaves you compromised (fortunately, I use Windows Mail). That's right – researchers at MDsec recently uncovered a Microsoft Outlook flaw (CVE-2023-23397) that allows attackers to access recipients' credentials through a seemingly innocuous appointment.

What’s the problem?

The vulnerability exists in Outlook, when sending an appointment, it’s possible to set the filename of the reminder tone to be played at the recipient side with the ‘PidLidReminderFileParameter’ option. This filename is an UNC path which means the resource can be fetched over network services like SMB. So, when an attacker sends an appointment with the path pointing to an SMB share, and the victim is reminded of the appointment, the vulnerable Outlook client tries to fetch the tone and, in the process, it will attempt to do NTLM authentication and leak the NTLM hashes of the victim. The ‘PidLidReminderOverride’ option is also used to force Outlook to use the file. The following image gives a pictorial representation of the attack.

Fig 1: CVE-2023-23397 Attack Flow

Preparing the vulnerable environment

To showcase the exploitation in a complete local environment, we deployed a local AD with local email servers. In real life the appointment could come from outside the network as well.

Exploit in Action

We will use this GitHub PoC for showing the exploit - https://github.com/api0cradle/CVE-2023-23397-POC-Powershell/tree/main.

Fig 2: POC script

Fig 3: Malicious appointment sent to the victim

Fig 4: Malicious appointment received by the victim

Fig 5: Appointment reminder received by the victim

Fig 6: NTLM credentials of victim leaked to attacker

If you would like to test out the vulnerability without setting the environment up like we did, Tryhackme has a free room which lets you play around with this vulnerability.

What can you do with the NTLM hashes?

The leaked hashes can be cracked if the passwords are weak enough. For example, with the utility hashcat as you can see the password was obtained:

Fig 7.: Hashcat password bruteforce on NTLM creds

If the password is complex enough to resist bruteforce, the hashes could also be relayed to other services running on the network to get different access.

Mitigations

Microsoft has released some scripts to discover this vulnerability, but there are already patches out for this vulnerability. Updating to the patched version as per the advisory should help mitigate the attack.

You can also use the Keysight test platforms with ATI subscription to safeguard your network against such attacks. Keysight Threat Simulator or BreakingPoint products can help you assess your network security controls and determine whether you can be protected before the patch. This kind of assessment is valuable as it can let you know if you have protection during the time before a change management window will open. More on this below.

Leverage subscription service to stay ahead of attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously checks threats as they appear in the wild to help keep your network secure and has added coverage for this vulnerability in release ATI-2023-06. More information is present here.

Fig 8: CVE-2023-23397 in BreakingPoint

limit
3