Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability

On March 14, 2023, Microsoft published a blogpost describing an Outlook Client Elevation of Privilege Vulnerability (CVSS: 9.8 CRITICAL). The publication generated a lot of activity among white, grey and black hat researchers, as well as lots of publications and tweets about the vulnerability and its exploitation. Below, we will highlight the key points and then focus on the initial use of this vulnerability by attackers before it became public.

Affected products include all supported versions of Microsoft Outlook for Windows. Other versions of Microsoft Outlook, such as those for Android, iOS, macOS, and Outlook on the web and other MS365 services, are not affected.

The CVE-2023-23397 vulnerability

From a technical point of view, the vulnerability is a critical EoP that is triggered when an attacker sends an Outlook object (task, message, or calendar event) within an extended MAPI property that contains a UNC path to an SMB share on a threat actor-controlled server, resulting in a Net-NTLMv2 hash leak. No user interaction is required. The NTLM leak occurs when the reminder window is displayed, not just when the message is received. However, an already expired reminder will be fired immediately upon receipt of the object!

The connection to the remote SMB server sends the user’s Net-NTLMv2 hash in a negotiation message, which the threat actor can use to either:

  • Relay for authentication against other systems that support NTLMv2 authentication.
  • Perform offline cracking to extract the password.

Note: as these are NTLMv2 hashes, they cannot be leveraged as part of a Pass-the-Hash technique.

The affected Net-NTLMv2 hash belongs to the user currently signed in to the Windows device where the Outlook client application is running, regardless of the identity that received the malicious message. If the user does not dismiss the Outlook reminder/task alert, or if the reminder is recurring (i.e., fires multiple times), the user’s Net-NTLMv2 hash may be leaked multiple times.

The vulnerability fix

The fix in the Outlook client code for CVE-2023-23397 is that Outlook’s PlayReminderSound() now calls IsFileZoneLocalIntranetOrTrusted(), which uses MapUrlToZone() to honor the SMB URI only if it is in a trusted/local zone. This means that a UNC path to an INTRANET/TRUSTED local zone can still be abused even on a patched MS Outlook client (SMB local exploitability should still be possible).

It appears that the implemented fix could be easily bypassed by forging the malicious UNC path with a particular format, then even a patched client could still be vulnerable (feature bypass vulnerability has been assigned CVE-2023-29324 and patched in May 2023) However, the hotfix is still effective on the server side and the exploit vector couldn’t be a CVE-2023-23397 patched Exchange server because it removes the extended MAPI property containing the malicious UNC path on any object in transit.

The WebDAV protocol

In the MS Guidance for investigating attacks using CVE-2023-23397,  there is a note about WebDAV reported below:
“Note: Interaction based on the WebDAV protocol is not at risk of leaking credentials via this exploit technique. While the threat actor infrastructure might request Net-NTLMv2 authentication, Windows will honor the defined internet security zones and will not send (leak) Net-NTLMv2 hashes. In other words, the vulnerability only affects the SMB protocol. If a target device can communicate to threat actor infrastructure over port 445 (SMB), Net-NTLMv2 hashes might be sent; however, if this communication via SMB is not possible, Windows will fall back to leveraging WebDAV. WebDAV will set up a connection with the threat actor infrastructure, but Net-NTLMv2 hashes will not be sent.”

It seems WebDAV already implements proper checks with regard to local intranet/trusted resources, and MS only considers the leak effective when it appears to an external entity. So, the logical assumption should be: “The WebDAV protocol is not at risk of leaking credentials via this exploit technique TO ANY NETWORK EXTERNAL ENTITY”. What about the local exploitability of WebDAV?

UNC paths can also be used to make a WebDAV request to an external domain, either by SMB falling back to WebDAV (if SMB traffic to the internet is blocked or otherwise fails, Windows will fall back to using WebDAV – if available – to try to complete the connection), or by forcing WebDAV by appending “@80” or “@SSL@443” to the host name.

Internal tests appear to confirm that WebDAV is locally abusable by forcing the use of WebDAV through appending @ to the hostname and by using a dotless hostname (considered local network zone by WebDAV); then local exploitability should be possible on a PATCHED client for both SMB and WebDAV.

The samples

Evidence of these vulnerabilities being exploited by an unknown attacker has been made public via the submission of samples to VirusTotal. Some samples submitted to VirusTotal in the past were later found to exploit CVE-2023-23397; others were published after the vulnerability was publicly disclosed.

Three variations of the samples were found on VirusTotal:

  • MSG format (full email with message header) -> provide usage time reference and a supposed target
  • EML format (full email with message header) -> provide usage time reference and a supposed target
  • TNEF format (only TASK attachment in TNEF format) -> NO time reference and NO supposed target

Many initial publications about these samples referred to April 2022 as the first available evidence because the “FirstSeen VT” field on the oldest sample timestamp was 2022-04-14 (with a received timestamp in the mail header on the same day).

However, a later sample appeared (in a different format – TNEF attachment in .eml – that was not detected by the first version of the YARA rule used by VirusTotal) with a “FirstSeen VT” timestamp of 2022-04-01 and a received timestamp in the mail header of 2022-03-18. In any case, the vulnerability was at the disposal of the first attacker for at least a year.

All publicly available samples found range from 2022-03-18 to 2023-03-29 (this is the last timestamp found in a sample related to a real-world exploit attempt by the attacker). All other samples with a “FirstSeen VT” timestamp starting from 2023-03-15 are mainly tests or POCs or just TNEF attachments missing target and reference timestamp details.

Sample list

Timeline of detected samples

  • Target: Government entity – UA

2022-03-18 – лист.eml
VT First Submission 2022-04-01 06:21:07 UTC
UNC path (reminder time set to 2019-05-06 20:00)
Sent by: on 2022-03-18 12:01:09 UTC

Source:: Securelist