decioMar 28, 2023

#CyberVeille #cve202323397 CVE-2023-23397
🔗​
The Guidance
👇​
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

The oopsie
👇​
1) un simple message avec la MAPI PidLidReminderFileParameter renseignée suffit

2) le 0-click reste exploitable en réseau interne si l'attaquant défini un host name (sans point) dans le chemin UNC (le patch ne couvre pas ce cas de figure apparemment pour préserver une fonctionnalité de ...confort)

[je sens que cette technique va devenir un classique pentest/redteam]

👇​
🐦​🔗​https://twitter.com/wdormann/status/1636784861036806161

👇​
🐦​🔗​https://twitter.com/an0n_r0/status/1640304974755135488

Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog

This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.

Microsoft Security Blog
BustaMar 24, 2023
Wow, I'm late. The #cve202323397 is still exploitable even after patching.

https://nitter.nl/domchell/status/1636742613121236992
Dominic Chell 👻 (@domchell)

Following some additional testing of #CVE-2023-23397 - I can confirm MS have only partially fixed this. You can still trigger auth to systems in trusted zones - ie other AD joined systems, which can then be relayed for privilege escalation 🔥https://vimeo.com/809084317

Nitter
Steve FinlayMar 22, 2023
#Crowdstrike attributing #cve202323397 (Outlook Zero-Day) to FANCY BEAR with "high confidence" and state that they've likely "exploited this vulnerability since at least March 2022 to target organizations in multiple sectors around the world including energy, government, defense, transportation, and aerospace". Once the vulnerability became public last week, FANCY BEAR conducted a spear-phishing campaign in an effort to exploit it before being mitigated.
#threatintel
Show threadTaggart: ~# Mar 17, 2023

Here it is, the code that successfully exploited #CVE202323397 remotely.

It turns out that the ReminderOverrideDefault, ReminderPlaySound, and ReminderSoundFile properties are available on straight-up emails, not just cal invites. Tasks also, but mail is easiest.

So load this function, then run the function as shown.

The result is you and the recipient will have hashes disclosed to the remote SMB server.

Taggart: ~# Mar 17, 2023

I'm once again asking if _anyone_ has seen the PoCs for #CVE202323397 actually work against remote targets.

MDSec demo: local attack
Hammond's demo: local attack
My own testing: local attack

With both flavors of PoC right now, I can only get this thing to trigger on my own machine, but not recipients. The invite is received, but the SMB server is not contacted by the target. I'm wondering if we're missing something here.

#InfoSec #ThreatIntel #CyberSecurity

Taggart: ~# Mar 17, 2023

Good stuff here for detecting #cve202323397

https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/

#ThreatIntel #InfoSec #CyberSecurity

Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397) - TrustedSec

TrustedSec's blog is an expert source of information on information security trends and best practices for strategic risk management.

TrustedSec
Taggart: ~# Mar 17, 2023

For those tracking #cve202323397 some notes.

1. Will Dormann reports that the patch from MS only stops UNC paths with `.` in them. That means local hostnames are still fair game, and this was always scarier as a post-exploitation TTP.

2. I have yet to see a demo where the thing is triggered on a remote target. I can pop my own NTLM hash with existing PoCs, but not others, which may be a limiting factor.

#ThreatIntel #InfoSec #CyberSecurity

Taggart: ~# Mar 16, 2023

So the Outlook jawn.

Sending NTLMv2 hashes to the web sucks, but to me this is scarier as a post-exploit spearphishing tool. Imagine hanging out in a network with Inveigh/Responder, then being able to email the exact person whose hash you want.

#CVE202323397 #InfoSec #CyberSecurity

Ján TrenčanskýMar 16, 2023

Partial mitigation for CVE-2023-23397 if you are running ESET is to configure your trusted zone and enable "Deny NTLM authentication in SMB protocol for connecting a server outside the Trusted zone". (This is ESET firewall Trusted Zone not the Windows one)

While this won't stop the WebDAV authentication it's a good mitigation to consider.

Kudos to @[email protected] for testing it. https://twitter.com/donnymaasland/status/1635918233487265793

#CVE202323397

Tweet / Twitter

Twitter
Joe SłowikMar 16, 2023
#CVE202323397 #Infosec