In March, Microsoft fixed an interesting vulnerability in Outlook that miscreants exploited to leak victims’ Windows credentials. This week, the IT giant rolled out that fix as part of its monthly Tuesday update.
To remind you of the original error, it was tracked as CVE-2023-23397: It was possible to email someone with a reminder with a custom notification sound. This custom audio can be specified as a URL path within the email.
If the wrong person carefully crafted mail with that audio path set to a remote SMB server, then when Outlook fetches the message and processes it, automatically tracing the path to the file server, it will hand a Net-NTLMv2 hash to the user trying to log in. This will effectively leak the hash to an outside party, who could potentially use the credentials to access other resources like that user, allowing hackers to explore internal network systems, steal documents, impersonate their victim, and so on.
The patch from two months ago made Outlook use Windows functionality MapUrlToZone To check where the notification sound track really points, if it’s online it will be ignored and the default sound will be played. This should have stopped the client from connecting to a remote server and leaking hashes.
It turns out that MapUrlToZone-based protection can be bypassed, which prompted Microsoft to back a fix for it in March in May. The original bug was exploited in the wild, and so when its patch landed, it caught everyone’s attention. This interest helped reveal that the reform was incomplete.
And if left incomplete, anyone who abuses the original bug can use the other vulnerability to get around the original patch. To be clear, it’s not that fix CVE-2023-23397 didn’t work – it did – it wasn’t enough to completely close the custom audio file hole.
This vulnerability is another example of patch checking leading to new vulnerabilities and abuses. He said Ben Parnia of Akamai, who spotted and reported the MapUrlToZone overflow.
Specifically for this vulnerability, adding a single character allows a critical patch to be bypassed.
Crucially, while the first bug was with Outlook, this second issue with MapUrlToZone lies in Microsoft’s implementation of this functionality in the Windows API. Parnia writes that this means that the second patch is not for Outlook but for the underlying MSHTML platform in Windows, and that all versions of the operating system are affected by this bug. The problem is that the maliciously generated route can be passed to MapUrlToZone so that the function determines that the route is not to the external internet when it actually is when the application comes to open the route.
According to Barnea, emails can contain a reminder that includes a custom notification sound specified as a path using a MAPI property extended using PidLidReminderFileParameter.
“An attacker could specify a UNC path that would cause the client to retrieve the audio file from any SMB server,” he explained. As part of the connection to the remote SMB server, a Net-NTLMv2 hash is sent in a negotiation message.
This glitch was bad enough to earn a CVSS severity rating of 9.8 out of 10 and had been exploited by a Russia-bound crew for about a year by the time the fix was released in March. The cyber gang used it in attacks against organizations in European governments as well as transportation, energy and military spaces.
To find a bypass for Microsoft’s original patch, Barnea wanted to craft a route that MapUrlToZone would label as local, intranet, or trusted zone—meaning Outlook could safely follow it—but when passed to the CreateFile function to open it, it would make the OS go to connect to a remote server.
Eventually he found that the bastards could change the URL in reminders, which tricked MapUrlToZone into checking that remote paths were seen as local paths. This can be done with a single keystroke, adding a second “\” to the Universal Naming Convention (UNC) path.
“An unauthenticated attacker on the Internet could use the vulnerability to force an Outlook client to connect to a server controlled by the attacker,” Parnia wrote. “This results in NTLM credentials being stolen. It’s a non-clickable vulnerability, which means it can run without user interaction.”
He added that the problem appears to be “the result of the complex handling of paths in Windows. … We believe this kind of confusion can cause vulnerabilities in other programs that use MapUrlToZone in a user-controlled path and then use a file operation (such as CreateFile or the API similar apps) on the same path.”
glitch, CVE-2023-29324He has a CVSS severity score of 6.5. Microsoft recommends organizations Repair Both this vulnerability – a patch was released as part of Patch Tuesday this week – as well as the previous CVE-2023-23397.
Parnia wrote that he hopes Microsoft will remove the custom reminder sound feature, saying it poses more security risks than any potential value to users.
“It’s a no-click media analysis attack surface that can contain critical memory corruption vulnerabilities,” he wrote. “Given how ubiquitous Windows is, eliminating an attack surface as mature as this could have some very positive effects.” ®