March 2023 Windows Updates fixed CVE-2023-23397, a vulnerability in Microsoft Outlook that was found to be exploited in the wild since at least January this year. Microsoft revealed very little information but security researcher Dominic Chell of MDSec was quick to figure out what it was about and had a working exploit within hours of Microsoft's update release. Dominic's analysis was released soon thereafter, and POCs started cropping up all over the place.
The vulnerability allows an attacker to send the victim an email such that even without the victim reading this email, Outlook will try to play a notification sound from a file specified in attacker's email (weird, huh?). While the more playful among us would immediately think of rickrolling our friends, serious attackers could use this "feature" to extract victim's NTLM hash from their computer. Specifying a sound file on a network location such as \\attacker.com\hash_collector.mp3 would make user's Outlook send a network request to attacker's server, which would then request authentication, and user's computer would respond with user's NTLM hash. For some reason, this also works with hosts on the Internet, where NTLM hashes are usually not being sent.
The official patch from Microsoft surprisingly didn't just axe this weird feature, but rather limited the location of the notification sound that your email sender wants you to hear to Local Intranet and Trusted Zones - if the supplied path is elsewhere, no sound will be played. This means that an attacker can still make your Outlook send your NTLM hash to any computer in the local network without you being able to prevent that - which is great news for attackers sitting in your network trying to elevate their privileges and become you.
As a workaround in lieu of patching, Microsoft suggested users to "block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares." This mitigation was later found to be incomplete, as Windows automatically try to use WebDAV for accessing remote shares when an SMB connection attempt fails.
While still-supported Microsoft Office versions have already received an official vendor fix for this vulnerability, Office 2010 - which we have security-adopted - is also vulnerable. In order to protect our Office 2010 users, we have created our own micropatch for this vulnerability.
Our patch is different to Microsoft's, as we believe theirs unnecessary leaves an important part of attack surface open. We therefore decided to simply enforce the default notification sound and completely ignore what your sender wanted you to hear. Granted, if your eager admin has set up some custom sound file for Outlook notifications, our patch will play the default notification sound instead of that as well.
This is the source code of our patch. It merely overrides the provided sound file path with "reminder.wav", which is the default value for Outlook reminders.
MODULE_PATH "..\Affected_Mofules\outlook.exe_14.0.7268.5000_Office-2010_64bit\outlook.exe"
PATCH_ID 1322
PATCH_FORMAT_VER 2
VULN_ID 7684
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x51d260
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
code_start
call VAR
dw __utf16__('reminder.wav'), 0 ; The default notification for Outlook 2010
VAR:
pop rsi
code_end
patchlet_end
Micropatch Availability
The micropatch was written for the following security-adopted versions of Office with all available updates installed:
- Microsoft Office 2010
Vulnerabilities like this one get discovered on a regular basis, and attackers know about them. If you're using Office 2010, or soon-to-be-expired Office 2013 that goes out of support in April this year, 0patch will make sure such vulnerabilities won't be exploited on your computers - and you won't even have to know or care about updating.
If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email [email protected] for a trial. Everything else will happen automatically. No computer reboot will be needed.
To learn more about 0patch, please visit our Help Center.We'd like to thank Dominic Chell for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.
Article Link: 0patch Blog: Micropatch for Microsoft Outlook Notification File NTLM Hash Theft (CVE-2023-23397)