Microsoft disclosed a Microsoft Outlook Vulnerability (an RCE – remote code execution) titled “Microsoft Outlook Elevation of Privilege Vulnerability” and designated as CVE-2023-23397 with its patch Tuesday release (March 14th 2023).
This vulnerability is an elevation-of-privilege (EoP) vulnerability in Microsoft Outlook. This means that when the vulnerability is exploited the application gains rights or privileges that should not normally be available to it. In this instance, this increased privilege could allow an attacker to obtain the victim’s password hash.
This vulnerability is being highlighted due to the ease of its exploit and wide usage of Outlook and Office.
Details of Vulnerability
The vulnerability identified by CVE-2023-23397, has been patched by Microsoft on 14 March, 2022 with it’s Patch Tuesday releases. This was originally identified in cooperation with CERT-UA (the Computer Emergency Response Team for Ukraine). This vulnerability, according to Microsoft, has been used in attacks to target and breach the networks of fewer than 15 Russian and EU government, military, energy, and transportation organizations between mid-April and December 2022.
How It Works
The exploit for this vulnerability is triggered when an attacker sends a specially crafted email using an extended MAPI (Microsoft Outlook Messaging Application Programming Interface) property containing the UNC (Universal Naming Convention) path of an attacker-controlled SMB (Server Message Block) share (running on TCP port 445).
When the victim’s Outlook client receives the malicious message, it attempts to authenticate itself to the attacker controlled SMB share using the victim’s NTLM (New Technology Lan Manager, Windows’ Challenge/Response