Outlook Privilege Escalation (CVE-2023-23397)
A new privilege escalation and credential capturing technique for Outlook has been discovered and is actively used to capture password hashes from targeted users.
How to Test for Outlook Privilege Escalation
The exploit requires a targeted user to open and add an appointment .msg file to their Outlook calendar, resulting in privledge escalation and credential capturing.
Preparing For The Test
For this attack to work, SMB (TCP port 445) must be allowed egress from the network that the victim's computer is running on. Your corporate network should have this blocked. If not, you are at significant risk for attacks using techniques like this one, which are very common.
To properly validate the successful exploitation of this vulnerability, it is best to monitor both host-based and network-based firewall controls to see if an outbound connection over port 445 is being attempted.
Open each dashboard or centralized logging solution and setup your monitors prior to executing this test.
Execute The Exploit
Exploit Execution information is reserved for Sprocket clients only.
Recording The Results
If you see an outbound connection on port 445 then the exploit was successful.
Sprocket can assist in determining if the exploitation was successful by telling you if they captured a password hash from the victim's computer. However, most networks should be blocking port 445 egress so you will be the best source to determine if you're vulnerable, regardless of firewall rules.
Delete the meeting from your calendar.
And that's it! You'll now have successfully tested if your assets are exposed to the CVE-2023-23397 vulnerability.