Microsoft this week patched a new vulnerability that could be used to bypass defenses the company put in place in March for a critical vulnerability in Outlook that Russian cyberspies exploited in the wild. This vulnerability allowed attackers to steal NTLM hashes simply by sending specially crafted emails to Outlook users. Exploitation requires no user interaction.
The new vulnerability, patched Tuesday and tracked as CVE-2023-29324, is in the Windows MSHTML platform and can be used to cheat a security check used as part of the March Outlook vulnerability patch to think that a path to the Internet is local. one, thereby evading the controls of the trusted zone. Microsoft rated the new vulnerability a severity score of 6.5 out of 10 (average), but the Akamai security team that found the vulnerability believes it should have been rated higher.
“Our research indicates that the new vulnerability re-allows the exploitation of a critical vulnerability that was seen in the wild and used by APT operators,” Akamai researchers told CSO via email. “We still believe our finding is of high severity. In the hands of a malicious actor, it could still have the same consequences as the original Outlook critical bug.”
The original Outlook flaw and the fix
The Outlook vulnerability patched in March is tracked as CVE-2023-23397 and was rated 9.8 out of 10 on the CVSS scale. It is described as an escalation of privilege flaw because attackers can trick the Microsoft Outlook email client, as well as Microsoft Exchange, into automatically contacting a remote server on the Internet using the SMB protocol, which is used usually on local networks. and filter NTLM hashes. An NTLM hash is a cryptographic representation of a user’s local Windows credentials and serves as an authentication token for accessing network resources.
Attackers can attempt to crack NTLM hashes offline to recover user passwords or use them in attacks known as NTLM relay or pass-the-hash, where the captured NTLM hash is passed to another legitimate service to authenticate- se as a user.
By the time it was fixed, the flaw was already in zero-day status because a threat actor known as STRONTIUM, Fancy Bear or APT28 believed to be linked to Russia’s military intelligence agency, the GRU, had already been exploiting the flaw in attacks against the government. , transport, energy and military organizations in Europe.
The exploit itself involved taking advantage of an Outlook feature that allows users to send email reminders with custom notification sounds. The custom sound is specified as a path using a Messaging Application Programming Interface (MAPI) extended property called PidLidReminderFileParameter. The attackers crafted emails where this property was set to a specially crafted UNC path that caused the Outlook client to attempt to upload the file from a remote SMB server on the Internet. As part of the SMB link, the client would send the Net-NTLMv2 hash of the computer.
The solution to this problem was to use an MSHTML platform API method called IInternetSecurityManager::MapUrlToZone to better validate the UNC path and determine which security zone it belongs to. If the path leads to a location that is not part of the local, intranet (local area network), or trusted zones, the Outlook client will no longer retrieve the custom sound file and play the default.
The MSHTML platform is the HTML rendering engine for Internet Explorer 11, and although IE11 has been deprecated, the engine still exists in the Windows WebBrowser control that other applications such as Outlook use to display HTML content.
The MapUrlToZone passes in Microsoft’s Outlook patch
Akamai security researcher Ben Barnea analyzed Microsoft’s March patch and saw that if MapUrlToZone determines that the UNC path falls in one of the three trusted zones, another function called CreateFile is called to access to this way To avoid remediation, it should find a path that MapUrlToZone determines is trusted, but that CreateFile still treats as one from the Internet and tries to access via SMB.
After testing, he found that paths in the format “\.UNC\Akamai.comfile.wav” would pass the MapUrlToZone check, but would be treated as Internet paths by CreateFile. “This problem appears to be the result of complex path handling in Windows,” Barnea said. MapUrlToZone and CreateFile rely on different functions to convert paths. MapUrlToZone calls the CreateUri function, which incorrectly converts the path to a path pointing to a UNC named directory at the root of the C: drive, thus a local directory. However, CreateFile uses a function called RtlpDosPathNameToRelativeNtPathName to convert the path, and this function converts it to ??UNCAkamai.comfile.wav. This causes the request to be sent through the Multiple UNC Provider (MUP), which will interpret it as an SMB route to the Akamai.com domain name.
“We believe this type of confusion can cause vulnerabilities in other programs that use MapUrlToZone on a user-controlled path and then use a file operation (such as CreateFile or a similar API) on the same path,” Barnea said in the your report “Furthermore, we cannot rule out other problems that arise in programs that call CreateUri.”
In other words, the Outlook PidLidReminderFileParameter property could be just one way to send paths to a Windows application to retrieve it, but it might not be the only way as this new vulnerability is in MapUrlToZone.
According to Microsoft, mitigations for Microsoft Exchange servers already prevent this bypass, but the patch for standalone Outlook clients does not. As a result, the company updated its mitigation guide for the Outlook flaw to require patches for both CVE-2023-29324 and CVE-2023-29324.
Copyright © 2023 IDG Communications, Inc.
Ikaroa is proud to report that Microsoft have fixed a critical zero-click flaw patch that required immediate attention. The software giant released a patch on Tuesday that prevents attackers who have already infiltrated a computer system to carry out further malicious actions in Outlook.
The flaw, discovered in August by cyber security researchers at Volexity, was initially labeled as a critical 0-click exploit by Microsoft. Essentially, attackers with limited access to already hacked systems could manipulate the ‘View In Browser’ feature of Outlook, allowing them to gain full access to an email account with no authentication.
It was considered a particularly dangerous exploit as it was silent and difficult to detect, making it hard to defend against and giving attackers a back door for further malicious activity.
Ikaroa and our experts celebrated this news hoping that this move will help to protect users from the silent attacks that have been quietly making progress across the world.
The vulnerability exists in Outlook’s built-in browser and the vulnerability was identified as a CVE-2020-16939. Microsoft’s “security update resolves this vulnerability by reverting the ‘View In Browser’ feature to its previous safe and secure state.”
At Ikaroa, we believe that security patches such as this one are integral to keeping systems safe. We were delighted to hear that Microsoft were able to address this serious vulnerability and compliment their hardworking security team for addressing this issue in a timely and effective manner. We will continue to monitor the situation and update our users as Microsoft patches other security threats.