On March 14th, 2023, Microsoft released a “Patch Tuesday” security update to address 76 separate vulnerabilities. Included among them was CVE-2023-23397, a critical vulnerability (rating 9.8) targeting Microsoft’s Outlook E-Mail client. Exploitation of the vulnerability would allow for remote credential replay attacks leading to escalation of privilege with no user interaction. Also on March 14th, researchers published a proof-of-concept exploit to take advantage of the vulnerability. Despite being publicly disclosed in March 2023, there is evidence that this vulnerability has been exploited in the wild by state-sponsored threat actors since at least April of 2022.
In the patch notes, Microsoft described the Outlook vulnerability as “a privilege escalation vulnerability that allows for a NTLM (New Technology LAN Manager) Replay attack against another service to authenticate as the user.” Fidelis security’s Threat Research Team (TRT) performed a deep-dive analysis of the vulnerability and developed a Fidelis Network® detection capability that provides real-time alerting for this attack. This blog post details the findings of our tests, along with the background information about Window’s NTLM required for context.
NTLM is Microsoft’s suite of security protocols that provide authentication, integrity, and confidentiality to end users. Microsoft no longer recommends deployment of NTLM in modern systems, yet it is often still implemented to maintain legacy compatibility. In its most simplistic form, NTLM is a challenge-response protocol that uses three steps to authenticate a client:
- Negotiation message: establish network path and negotiate capabilities of client and server.
- Challenge message: server responds with a challenge message including a random 8-byte number to prompt the client to authenticate.
- Authentication message: the client responds with the random number plus a hashed version of the password, which is compared to the value stored on the domain controller.
It is the hash value that is of particular importance to our discussion. Due to the way NTLM implements its hashing features (i.e., a lack of salting), the hash value can be used to authenticate just as if the attacker had access to the un-hashed password. If an attacker can obtain the hash value of the password, they can replay the hash and authenticate to the domain controller without ever knowing the original password and without any user interaction. In normal operations the challenge-response messages are encrypted in a way that prevents attackers from gaining access to the hash, but the exploit described in CVE-2023-23397 provides a way to force an Outlook client running on Windows to send the NTLM password hash value to the attacker.
The vulnerability takes advantage of the way that Microsoft Outlook parses calendar appointment invitations. Outlook clients use the Messaging Application Programming Interface (MAPI) client protocol to communicate with the Exchange servers that host email messages. By using the extended MAPI properties, an attacker can define a Universal Naming Convention (UNC) file path to a remote server and force the client to send an NTLM authentication message to that server over SMB (port 445). This authentication message contains the NTLM hash value that is used to authenticate to the Domain Controller. Once the attacker has access, they can replay the authentication message and impersonate the credentialed user.
The MAPI property at fault is the “PidLidReminderFileParameter.” This property allows an email sender to specify a UNC file path that the receiving client uses when playing an audio reminder for an overdue calendar appointment.
Prior to Microsoft’s patch, there was no enforcement mechanism to ensure that this property pointed to a local file. Therefore, an attacker can specify a remote and malicious UNC file path in this property. When Outlook parses this file path for a remote server, it attempts to authenticate to the server by sending its NTLM authentication message. The malicious server can then record this message and use it in future replay attacks to impersonate the targeted user.
This exploit is unique in its ability to easily take control of a user’s account take control of a user’s account without that user’s interaction. Typically, a user must fall for a phishing attempt or otherwise play a part in the compromise. In this case, no action is required on the user’s part because the exploit occurs as soon as the calendar appointment is received. Likewise, the attacker does not need to gain elevated privileges prior to the attack. Also, SMB is not a protocol that is typically blocked for outbound connections by edge firewalls. Because of these characteristics, Fidelis security believes this vulnerability will quickly rise to our Top 10 list of critical vulnerabilities.
In order to detect the exploit within the Microsoft Exchange Server environment, Microsoft released a script that searches for messaging items that contain a UNC path. The script also provides an option to remove those items. This approach is somewhat retroactive, however, and will not stop attacks in progress. To provide real time detection, Fidelis TRT developed a capability that detects the attack in transit on the wire.
Detecting Active Exploits of the Microsoft Outlook Remote Hash Vulnerability
To transmit a MAPI message over SMTP, Microsoft first wraps the message in the Transport Neutral Encapsulation Format (TNEF) and includes it as an attachment (winmail.dat) to the email message. To detect the exploit on the wire, Fidelis’ Deep Session Inspection® technology reassembles the communication channel up to the application layer to identify the MAPI parameters associated to the vulnerability (i.e., the PidLidReminderFileParameter with a UNC file path set). The challenge with development of custom detections is to identify parameters that have a high probability of detecting the attack with a low probability of generating false positives. To do this, Fidelis first determined how that segment is encoded in TNEF. Within MAPI, the presence of PidLidReminderFileParameter is defined by the hex stream 0x0000851F. When transmitted on the wire via TNEF, that same string of bytes appears appended to the PSETID_COMMON field (00062008-0000-0000-C000-000000000046) with four NULL bytes between them. The PidLidReminderFileParamValue is set to true (01 00), followed by 2 more NULL bytes, 2 bytes defining the length of the UNC path, and two more NULL bytes. After that, all that is left is to detect the beginning of a UNC path beginning with ‘//’ (5C in hex). We include a signature for InterPersonal Message (IPM) mail classes as well to ensure we are dealing with an Outlook mail item. The resulting Fidelis Network rule is shown in Figure 3 while the alert produced by this rule after analyzing network traffic is shown in Figure 4.
Threat actors continually innovate, creating new and novel techniques to gain access to confidential information. CVE-2023-23397 likely originated from a state-sponsored actor, but recent disclosures have made it an easy matter for anyone to leverage this powerful and simple zero-click credential theft attack against vulnerable Microsoft Outlook clients. To keep your organization safe, ensure your systems are up to date, and that you have installed an automated detection system, such as Fidelis Elevate, to proactively defend against cyber-threats and active attacks.
Subscribe to the Threat Geek blog for the latest updates, threat research, and industry insights from the professionals at Fidelis security. To see first-hand how the Fidelis security platforms help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries across network, endpoints, and cloud, schedule a demo.