[CVE-2023–23397] Microsoft Outlook Elevation of Privilege Vulnerability
Tags
| attack-pattern: | Authentication Attempt - T1381 Credentials - T1589.001 Ip Addresses - T1590.005 Malicious File - T1204.002 Powershell - T1059.001 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | 0cf99bb2-0d79-4c55-bd41-2ee7a039a15d |
| Fingerprint | 368929907c35deaf |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 17, 2023, 12:03 p.m. |
| Added to db | May 17, 2023, 2:20 p.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | [CVE-2023–23397] Microsoft Outlook Elevation of Privilege Vulnerability |
| Title | [CVE-2023–23397] Microsoft Outlook Elevation of Privilege Vulnerability |
| Detected Hints/Tags/Attributes | 36/1/23 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 167 | ✔ | Cybersecurity on Medium | https://medium.com/feed/tag/cybersecurity | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 176 | cve-2023-23397 |
|
| Details | Domain | 6 | delivr.to |
|
| Details | Domain | 2 | ulikowski.pl |
|
| Details | Domain | 2 | interoperability.blob.core.windows.net |
|
| Details | Domain | 452 | msrc.microsoft.com |
|
| Details | 2 | marcin@ulikowski.pl |
||
| Details | File | 6 | attack.ini |
|
| Details | File | 173 | outlook.exe |
|
| Details | File | 23 | searchprotocolhost.exe |
|
| Details | File | 2 | ulikowski.pl |
|
| Details | File | 2 | interoperability.blob |
|
| Details | sha256 | 3 | 47fee24586cd2858cfff2dd7a4e76dc95eb44c8506791ccc2d59c837786eafe3 |
|
| Details | sha256 | 3 | 582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf |
|
| Details | sha256 | 3 | 6c0087a5cbccb3c776a471774d1df10fe46b0f0eb11db6a32774eb716e1b7909 |
|
| Details | sha256 | 3 | 7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad |
|
| Details | sha256 | 3 | eedae202980c05697a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321fa |
|
| Details | sha256 | 2 | e7a1391dd53f349094c1235760ed0642519fd87baf740839817d47488b9aef02 |
|
| Details | Url | 2 | https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397 |
|
| Details | Url | 4 | https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability |
|
| Details | Url | 2 | https://interoperability.blob.core.windows.net/files/ms-oxprops/[ms-oxprops].pdf |
|
| Details | Url | 5 | https://msrc.microsoft.com/update-guide/vulnerability/cve-2023-23397 |
|
| Details | Yara rule | 2 | rule SUSP_EXPL_Msg_CVE_2023_23397_Mar23 {
meta:
description = "MSG file with a PidLidReminderFileParameter property, potentially exploiting CVE-2023-23397"
author = "delivr.to, modified by Florian Roth, Nils Kuhnert, Arnim Rupp, marcin@ulikowski.pl"
date = "2023-03-15"
modified = "2023-03-17"
score = 60
reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/"
hash = "47fee24586cd2858cfff2dd7a4e76dc95eb44c8506791ccc2d59c837786eafe3"
hash = "582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf"
hash = "6c0087a5cbccb3c776a471774d1df10fe46b0f0eb11db6a32774eb716e1b7909"
hash = "7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad"
hash = "eedae202980c05697a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321fa"
strings:
$psetid_app = { 02 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
$psetid_meeting = { 90 DA D8 6E 0B 45 1B 10 98 DA 00 AA 00 3F 13 05 }
$psetid_task = { 03 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
$rfp = { 1F 85 00 00 }
$u1 = { 00 00 5C 00 5C 00 }
$fp_msi1 = { 84 10 0C 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
condition:
uint32be(0) == 0xD0CF11E0 and uint32be(4) == 0xA1B11AE1 and 1 of ($psetid*) and $rfp and $u1 and not 1 of ($fp*)
} |
|
| Details | Yara rule | 2 | rule EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23 {
meta:
description = "Detects suspicious .msg file with a PidLidReminderFileParameter property exploiting CVE-2023-23397 (modified delivr.to rule - more specific = less FPs but limited to exfil using IP addresses, not FQDNs)"
author = "delivr.to, Florian Roth, Nils Kuhnert, Arnim Rupp, marcin@ulikowski.pl"
date = "2023-03-15"
modified = "2023-03-18"
score = 75
reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/"
hash = "47fee24586cd2858cfff2dd7a4e76dc95eb44c8506791ccc2d59c837786eafe3"
hash = "582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf"
hash = "6c0087a5cbccb3c776a471774d1df10fe46b0f0eb11db6a32774eb716e1b7909"
hash = "7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad"
hash = "eedae202980c05697a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321fa"
hash = "e7a1391dd53f349094c1235760ed0642519fd87baf740839817d47488b9aef02"
strings:
$psetid_app = { 02 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
$psetid_meeting = { 90 DA D8 6E 0B 45 1B 10 98 DA 00 AA 00 3F 13 05 }
$psetid_task = { 03 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
$rfp = { 1F 85 00 00 }
$u1 = { 5C 00 5C 00 ( 3? 00 2E | 3? 00 3? 00 2E | 3? 00 3? 00 3? 00 2E ) 00 ( 3? 00 2E | 3? 00 3? 00 2E | 3? 00 3? 00 3? 00 2E ) 00 ( 3? 00 2E | 3? 00 3? 00 2E | 3? 00 3? 00 3? 00 2E ) 00 ( 3? 00 3? 00 3? 00 | 3? 00 3? 00 | 3? 00 ) }
$u2 = { 00 5C 5C ( 3? 2E | 3? 3? 2E | 3? 3? 3? 2E ) ( 3? 2E | 3? 3? 2E | 3? 3? 3? 2E ) ( 3? 2E | 3? 3? 2E | 3? 3? 3? 2E ) ( 3? 3? 3? | 3? 3? | 3? ) }
$fp_msi1 = { 84 10 0C 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
condition:
(uint16(0) == 0xCFD0 and 1 of ($psetid*) or uint32be(0) == 0x789F3E22) and any of ($u*) and $rfp and not 1 of ($fp*)
} |