This issue is a severity level 9.8 elevation of privilege vulnerability that affects all versions of Microsoft Outlook on Windows.
Microsoft released a patch for the vulnerability yesterday. This vulnerability has been exploited as a zero-day vulnerability in NTLM relay attacks since at least mid-April 2022.
An attacker can use this to steal NTLM credentials simply by sending a malicious email to the target. No user interaction is required as the exploit occurs when Outlook is open and triggers a reminder on the system. Windows New Technology LAN Manager (NTLM) is an authentication method used to log on to Windows domains using hashed credentials.
NTLM authentication has known risks, but is still used by newer systems to ensure compatibility with older systems.
It uses a password hash that the server obtains from the client when trying to access a shared resource such as an SMB share. If stolen, these hashes can be used to authenticate on the network.
Microsoft claims that the attacker used his CVE-2023-23397 to send “messages with extended MAPI properties with her UNC path to her SMB share (TCP 445) on a server controlled by the attacker.” I explained that you can get the NTLM hash by sending
However, exploiting this issue requires more technical details published shortly after Microsoft released a fix by researchers at the security consulting firm MDSec. After reviewing a Microsoft script that uses CVE-2023-23397 to check Exchange messaging elements for signs of exploitation, MDSec red team member Dominic Chell explained how easily this flaw could be exploited by an attacker. I found
He found that on the email element the script received he could look for the PidLidReminderFileParameter property and remove it if it exists. Chell explains that this property allows the sender to define the filename of a message that his Outlook client will play when his reminder is triggered.
Why this was possible remains a mystery the researchers have not been able to solve, as the sender of the email cannot set the notification sound for new messages on the recipient’s system. Chell pointed out that if the property accepts filenames, he should also be able to append UNC paths to trigger NTLM authentication. Researchers also discovered that the PidLidReminderOverride property can be used to trick Microsoft Outlook into parsing remote malicious UNC paths in the PidLidReminderFileParameter property.
With this information, researchers were able to craft a malicious Outlook email (.MSG) containing calendar events to trigger the vulnerability and send the targeted NTLM hash to arbitrary servers. These stolen NTLM hashes can be used to perform NTLM relay attacks for deeper access into corporate networks.