CVE-2023-23397 is a vulnerability in Microsoft Outlook that allows an attacker to potentially exfiltrate user authentication details. The vulnerability stems from the ability of an attacker to specify a Universal Naming Convention (UNC) path in the "ReminderSoundFile" property within an email or meeting invite. When the reminder triggers in Outlook, the user's client attempts to load the sound file specified in the path. If Outlook initiates an SMB connection to a remote SMB server, it might be possible for the attacker to intercept the user's Net-NTLMv2 hash and relay this to authenticate as the user.
This GitHub project contains a proof-of-concept (PoC) Python script to demonstrate the exploitation of this vulnerability. The PoC is based on concepts from Dominic Chell's MDSec post Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability and ports these concepts to Python using the win32com.client library.
- Clone the repository and navigate to the project directory.
- Replace the BAD_ADDRESS variable in the cve-2023-23397.py script with the desired UNC path for the external resource.
- The UNC path can also be used to make a WebDAV request to an external domain by appending "@80" or "@SSL@443" to the hostname / IP
- Set the MEETING_RECIPIENTS and other variables as needed.
- Run the cve-2023-23397.py script to send the meeting request and exploit the vulnerability.
This script uses the win32com.client library, which is Windows specific and requires the pywin32 package. Install it using pip install pywin32 before running the script.
This project is for educational and research purposes only. The authors and contributors are not responsible for any misuse or damage caused by the exploitation of this vulnerability. Please use responsibly and ensure you have proper authorization before testing.