Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ka7ana/cve-2023-23397
Simple PoC in PowerShell for CVE-2023-23397
https://github.com/ka7ana/cve-2023-23397
cve-2023-23397 infosec outlook poc powershell powershell-script proof-of-concept vulnerability windows
Last synced: 2 months ago
JSON representation
Simple PoC in PowerShell for CVE-2023-23397
- Host: GitHub
- URL: https://github.com/ka7ana/cve-2023-23397
- Owner: ka7ana
- Created: 2023-03-16T19:10:37.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-03-16T19:29:49.000Z (almost 2 years ago)
- Last Synced: 2024-09-28T04:21:08.249Z (3 months ago)
- Topics: cve-2023-23397, infosec, outlook, poc, powershell, powershell-script, proof-of-concept, vulnerability, windows
- Language: PowerShell
- Homepage:
- Size: 5.86 KB
- Stars: 41
- Watchers: 2
- Forks: 11
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# A Simple PoC in PowerShell for CVE-2023-23397
CVE-2023-23397 is a vulnerability in MS Outlook that allows an attacker to potentially exfil user authentication details. The vulnerability relates to the the ability for an attacker to specify a UNC path in the "ReminderSoundFile" property within an email/meeting invite - when the reminder triggers in Outlook, the user's Outlook client attempts to load the sound file specified in the path. If Outlook attempts to initiate an SMB connection to a remote SMB server, it might be possible for the attacker to intercept the user's Net-NTLMv2 hash and relay this to authenticate as the user.
PoC is based on Dominic Chell's MDSec post (https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/), porting the concepts to PowerShell.
Note that the UNC path can also be used to make a WebDAV request to an external domain, either by appending "@80" or "@SSL@443" to the host name, as per n00py's blog post: https://www.n00py.io/2019/06/understanding-unc-paths-smb-and-webdav/