Microsoft yesterday released a patch for a critical Microsoft Outlook vulnerability (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email. Security researchers have now shared technical details for exploiting the vulnerability, which has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022.
The vulnerability is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows. An attacker can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is needed as exploitation occurs when Outlook is open and the reminder is triggered on the system. According to Microsoft, “a Russia-based threat actor” exploited the vulnerability in targeted attacks against several European organizations in government, transportation, energy, and military sectors.
Security consulting company MDSec's red team member Dominic Chell discovered how easily a threat actor could leverage the bug. He found that the script could look for the “PidLidReminderFileParameter” property inside the received mail items and remove it when present. Chell explains that this property lets the sender define the filename that the Outlook client should play when the message reminder is triggered. He also discovered that the PidLidReminderOverride property could be used to make Microsoft Outlook parse a remote, malicious UNC path in the PidLidReminderFileParameter property. This information allowed the researcher to create a malicious Outlook email (.MSG) with a calendar appointment that would trigger the vulnerability and send the target’s NTLM hashes to an arbitrary server. As Microsoft noted, “The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.”
MDSec shared a video that shows how the newly patched critical vulnerability in Microsoft Outlook can be exploited. The vulnerability was found and reported to Microsoft by Ukraine’s Computer Emergency Response Team (CERT-UA).