Microsoft has disclosed a privileged escalation vulnerability in Outlook for Windows (CVE-2023-23397) used to steal NTLM credentials via a crafted Reminder alert. The issue can be exploited by a malicious email that forces authentication to a threat actor-controlled SMB server, potentially yielding the NTLM hash. #CVE-2023-23397 #Outlook #NTLM #SMB #PidLidReminderFileParameter #PidLidReminderOverride
Keypoints
- The vulnerability affects Outlook for Windows and is assigned CVE-2023-23397 with a high severity (CVSS 9.8).
- The attack abuses PidLidReminderFileParameter to point to a sound file and PidLidReminderOverride to mark trust, enabling credential theft via SMB.
-
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – A malicious email (the PoC creates a malicious msg) used to trigger exploitation when opened. ‘When a user receives a maliciously created email like the one above, the user is forced to authenticate with the SMB server controlled by the threat actor…’
- [T1550.003] Use of NTLM – The attack leverages NTLM authentication to the attacker-controlled SMB server to obtain credentials. ‘If a threat actor uses the PidLidReminderFileParameter value within an email to send a message with the PidLidReminderOverride value set as true to a controllable SMB server, then the recipient will become vulnerable without any interaction.’
- [T1021.002] SMB/Windows Admin Shares – The threat actor’s SMB server is used as the authentication target for credential theft during the reminder interaction. ‘to a controllable SMB server’ and related statements describe leveraging SMB in the attack.
Indicators of Compromise
- [Hash] 03a81e52235b2b5ffb182f437941e3605218c52fd14b55c208b07065d770a8ef, 078b5023cae7bd784a84ec4ee8df305ee7825025265bf2ddc1f5238c3e432f5f – example SHA-256 hashes identified in the IOC list
- [File] Trojan/Msg.Agent (2023.03.17.00), Exploit/BIN.Agent (2023.03.18.01) – examples from the file detection section
Read more: https://asec.ahnlab.com/en/50218/