An exploit has been created for a critical vulnerability in Microsoft Outlook

Cybersecurity researcher published PoC– an exploit for a critical vulnerability in Microsoft Outlook for Windows (CVE-2023-23397) that allows a hacker to remotely steal hashed passwords simply by receiving an email.

Microsoft released a special script PowerShellto help administrators verify if any users in their Exchange environment have been affected by this Outlook vulnerability. If necessary, administrators can use this script to purge a property of malicious items, or even permanently delete items. The script also allows you to modify or remove potentially malicious messages if they are found on a trusted Exchange server when run in cleanup mode.

Having studied script from Microsoft, which inspects Exchange messaging items for signs of exploitation, MDSec Red Team Member Dominic Chell discovered how easily an attacker can exploit this bug. MDSec has shared a video showing how CVE-2023-23397 can be used.

Chell stated that the script can look up the property ” PidLidReminderFileParameter » inside received mail items and delete it if present. Chell explains that this property allows the sender to specify the file name that the Outlook client should play when the message reminder is triggered.

Chell noted that if the property accepts a filename, it should also be possible to add a UNC path to trigger NTLM authentication. Also, according to him, the property PidLidReminderOverride can be used to force Microsoft Outlook to parse the remote malicious UNC path in the “PidLidReminderFileParameter” property.

This information allowed the researcher to create a malicious Outlook email (.MSG) with a calendar appointment that would trigger the vulnerability and send the targeted NTLM hashes to an arbitrary server. These stolen NTLM hashes can then be used to perform attacks NTLM Relay to access corporate networks.

Stealing NTLM hashes using a calendar in Microsoft Outlook

In addition to calendar appointments, an attacker can also use Microsoft Outlook tasks, notes, or emails to steal hashes. Chell notes that CVE-2023-23397 can be used to authenticate against an IP address that is outside the trusted intranet zone or trusted sites.

Microsoft is urging customers to immediately apply the released fix for the vulnerability or add users to the Protected Users group in Active Directory and block outbound SMB (TCP port 445) as a temporary measure to minimize the impact of the attacks.