A Microsoft Outlook vulnerability that leaks hashed passwords through malicious calendar invites is one of three Microsoft password-stealing exploits detailed by security researchers on Thursday.
The Outlook and Windows application exploits can be achieved in just one or two clicks, according to researchers from Varonis, which first reported the issues to Microsoft in July 2023.
The Outlook vulnerability, tracked as CVE-2023-35636, received a patch on Dec. 12. The other two reported issues, involving Windows Performance Analyzer (WPA) and Windows File Explorer (WFE), were closed by Microsoft due to “moderate severity,” Varonis researchers said.
“These were not patched; according to Microsoft, this behavior was not considered a vulnerability. However, we see it as a basic legitimate attack vector,” Dvir Sason, security research manager at Varonis, told SC Media.
The Varonis team disclosed the technical details about the exploits for the first time on Thursday, intentionally leaving time for users to apply the relevant December patch.
1-click Outlook vulnerability leaks passwords through calendar function
Accepting a calendar invite on Outlook sometimes involves opening an iCalendar (.ics) file, a format that enables events and other calendar data to be shared and added to one’s own calendar application.
For example, an Outlook user can accept a calendar invitation from a Google Calendar user, and Outlook will retrieve event details from the .ics to add to its own calendar application.
CVE-2023-35636 allows NTLM v2 hashed passwords to be leaked in this calendar-sharing process with the use of malicious email headers that prompt Outlook to send a request to the attacker’s system.
First, the attacker needs to include a header that indicates the “content-class” is “sharing,” and secondly, the attacker needs to include an “x-sharing-config-url” header that directs to an .ics file path on the attacker’s own machine.
If an Outlook user clicks the calendar invite link (with a prompt such as “Open this iCal”), the hashed password is exposed when Outlook attempts to authenticate on the attacker’s machine to retrieve the .ics file.
Hackers can use widely available tools, such as legitimate open-source penetration testing tools, to view the packet containing the victim’s authentication attempt, including the hashed password.
Offline brute-force attacks, in which many passwords are automatically generated and tested against the hash, or authentication relay attacks, in which the victim’s authentication request is forwarded back to the server the attacker is attempting to infiltrate, could be used to leverage the leaked NTLM hash.
After opening the malicious email, the victim only needs to make one click (accepting the calendar invite) for their password to be leaked, setting CVE-2023-35636 apart from the other two issues reported by Varonis.
“We believe one-click weaponization is the difference between a vulnerability that should be patched versus an abuse of functionality that is not considered a vulnerability,” Sason told SC Media, regarding Microsoft’s decision to assign a CVE to this exploit.
A patch for CVE-2023-35636 was included in Microsoft Office and Microsoft 365 updates on Dec. 12. The vulnerability was given a medium-severity CVSS score of 6.5.
While the exact remediation rate for vulnerabilities like CVE-2023-35636 is not known, a 2023 report by Edgescan found that the mean time to remediation for vulnerabilities of critical severity was 65 days.
2 other Windows exploits abuse developer tools, file search
The researchers demonstrated two other methods of stealing hashed passwords using Windows applications, which require more user interaction and were not considered to be vulnerabilities in the applications by Microsoft.
In one case, an attacker could use an https:// web link to redirect to a link with a wpa:// URI handler, which is opened in the software development application Windows Performance Analyzer.
The researchers found that if the wpa:// link directs to a file contained at the attackers IP, an authentication request is sent over the internet to the attacker’s system that leaks the victim’s hashed password.
This attack would require the victim to both click the initial malicious web link and subsequently open WPA when prompted by their browser.
Another similar exploit involves manipulating a victim to click a link that uses search-ms:// — the URI handler for the search function of Explorer.exe in Windows File Manager.
The attacker would need to craft a search-ms:// link that includes a fake search query and uses either the subquery or crumb advanced search parameters to direct the search over the internet to a location on the attacker’s machine. The victim’s hashed password is leaked when Explorer.exe attempts to access this location.
This method also requires two clicks, first on the initial phishing link and then on the in-browser prompt to open Windows Explorer.
The researchers note that this exploit has similar indicators of compromise to CVE-2023-23397, a “zero touch” elevation of privilege vulnerability in Microsoft Outlook that was exploited by the Fancy Bear threat group last year.
“I personally believe these vulnerabilities should be considered medium threats, and organizations should monitor for specific and niche communication protocols egressing towards internal and external addresses – as we demonstrated in our research,” said Sason.
Protecting against NTLM hash attacks
As mentioned, passwords hashed by NTLM v2 can still be used by attackers to gain access to victims’ systems via offline brute forcing and authentication relay.
Therefore, Varonis recommends forcing Kerberos authentication in place of NTLM whenever possible. Kerberos’ use of time-limited, session-specific tickets for authentication protects against brute force and authentication relay tactics.
Blocking outgoing NTLM v2 is also a method that can prevent these exploits; although this option was made available in an insider preview build of Windows 11, it is unclear when or if this will become available for general users, Sason noted.
As always, organizations should stay up to date with all software patches and stay abreast of diverse phishing tactics, such as the calendar invite exploit.
