Thursday 5 October 11:30 - 12:00, Red room
Anurag Shandilya (K7 Computing)
Part of the Microsoft Office suite, Outlook is a default choice of email client for businesses of all sizes, for daily communications as well as typical calendar functionality. Unsurprisingly, its market share is a massive 40%, and with such a huge user base, it’s an obvious target for threat actors to gain initial access to business networks by compromising unsuspecting employees. Further, Outlook’s backend is MS Exchange Server which, in the recent past, has itself borne the brunt of several, varied critical vulnerability exploitation attacks, from ProxyShell, exploited by Hafnium APT, to ProxyNotShell, exploited by the Play ransomware.
Cut to the present; it turns out MS Outlook has its own share of critical vulnerabilities. As recently as February 2023, CVE-2023-21716 was patched in Microsoft Word’s RTF parser. It is a heap corruption vulnerability leading to remote code execution. Outlook’s Preview Pane is also susceptible to this vulnerability, increasing the chances of successful exploitation and compromise. After all, an attacker need only trick a victim into merely previewing a crafted document attached to an email to achieve RCE. Although there is no current evidence of in-the-wild exploitation of this vulnerability, we believe the risk is significant and deserves researcher attention due to the public availability of an exploit PoC.
Even more recently, another 0-interaction Outlook vulnerability, CVE-2023-23397, was patched in March 2023. This vulnerability is associated with the way in which calendar Reminders are configured, leading to UNC path access, which may ultimately lead to leakage of NTLM (New Technology LAN Manager) tokens to be relayed across the network. (Note, this vulnerability has been reported to be exploited in the wild since April 2022.)
Has Pandora's Box been opened? Could there be similar, cascading Outlook vulnerabilities yet to be unearthed as we saw in the case of MS Exchange Server?
In this paper we will minutely explain the intricate exploitation mechanisms for both CVE-2023-23397 and CVE-2023-21716. We already have working demos prepared for both these which we will use as aids during the presentation. We will also analyse the TTPs that threat actors have been employing to exploit Outlook (CVE-2023-23397, at the time of writing). The understanding thus gained will be used to project imminent in-the-wild exploitability for CVE-2023-21716 as well, and allow us to protect proactively against such attacks.
Anurag Shandilya is the Assistant Vulnerability Research Manager at K7 Labs. His areas of research include Windows and IoT vulnerabilities. He has 7+ years of experience in vulnerability research and vulnerability assessment & penetration testing (VAPT), and has recently helped launch K7 VAPT services. He has presented at AVAR (2018, 2020, 2021 and 2022), VB (2019) and CARO (2020) and actively contributes to the K7 Computing blog. His other areas of interest include bug bounties and playing table tennis.