In my Exchange 2019 lab, I tested out this exploit and it works which is scary. The POC listed Outlook 2013 and 2016 but it also worked for me on Outlook 2019. If you want to read about this POC, head over to GitHub here:

https://wwwgithub.com/Trackflaw/CVE-2023-23397/tree/main

This article was put together to make you aware that if you do not patch, you will be vulnerable to attacks like these.

In Kali Linux I ran the python script and it sent the malicious appointment as seen below:

Exchange 2019:- cve-2023-23397 exploit (affecting the outlook thick client)
Exchange 2019:- CVE-2023-23397 Exploit (Affecting the Outlook Thick Client) 1

The next step was to create listener to get a call back as seen below:

Exchange 2019:- cve-2023-23397 exploit (affecting the outlook thick client)
Exchange 2019:- CVE-2023-23397 Exploit (Affecting the Outlook Thick Client) 2

In the script I obviously had to do this authenticated as using a fake account and password just failed.

Heading over to Outlook, we can see the malicious appointment that was sent to the Victim user, in our case User1:

Exchange 2019:- cve-2023-23397 exploit (affecting the outlook thick client)
Exchange 2019:- CVE-2023-23397 Exploit (Affecting the Outlook Thick Client) 3

I can modify the information as I wanted to, stating it came from User2 which looked legit, in this case it may be an HR person, you can modify the script as shown below:

Exchange 2019:- cve-2023-23397 exploit (affecting the outlook thick client)
Exchange 2019:- CVE-2023-23397 Exploit (Affecting the Outlook Thick Client) 4

If we head over to User2, nothing is showing as sent for this user even though it looked like it came from them:

Exchange 2019:- cve-2023-23397 exploit (affecting the outlook thick client)
Exchange 2019:- CVE-2023-23397 Exploit (Affecting the Outlook Thick Client) 5

This was tested as mentioned earlier in the article on Outlook 2019 but I also used Outlook 2013 and achieved the same results. I did not show the full attack cycle due to sensitive information disclosure but you get the just of the attack.

Conclusion

This attack steals the Net-NTLM hash of a user, as you can imagine, this is valuable to an attacker. The way to close this vulnerability is to patch your Office product. You can also look at Trends Website for other pointers to prevent this exploit:

https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immediately-what-you-need-to-know-and-do.html

Hope it helps.

Discover more from COLLABORATION PRO

Subscribe now to keep reading and get access to the full archive.

Continue reading