Merge pull request #354 from aleff-github/patch-68
Defend Yourself From CVE-2023-23397pull/464/head
commit
4fb883c8ee
|
@ -0,0 +1,115 @@
|
|||
# Defend Yourself From CVE-2023-23397
|
||||
|
||||
This script allows you to set the Firewall rule that will allow you to defend against CVE-2023-23397.
|
||||
|
||||
**Category**: Incident-Response
|
||||
|
||||
*I decided to set Credentials as the category because of the type of CVE.*
|
||||
|
||||
## Index
|
||||
|
||||
- [Defend Yourself From CVE-2023-23397](#defend-yourself-from-cve-2023-23397)
|
||||
- [Payload Description](#payload-description)
|
||||
- [CVE-2023-23397 Description](#cve-2023-23397-description)
|
||||
- [Summary](#summary)
|
||||
- [Impacted Products](#impacted-products)
|
||||
- [Technical Details](#technical-details)
|
||||
- [Note](#note)
|
||||
- [Dependencies](#dependencies)
|
||||
- [Settings](#settings)
|
||||
- [Administrative Privileges](#administrative-privileges)
|
||||
- [Set the rule](#set-the-rule)
|
||||
- [See the new rule](#see-the-new-rule)
|
||||
- [Remove the rule](#remove-the-rule)
|
||||
- [Credits](#credits)
|
||||
|
||||
## Payload Description
|
||||
|
||||
This script allows you to set the Firewall rule that will allow you to defend against CVE-2023-23397.
|
||||
|
||||
Open a PowerShell, set the Firewall rule trough NetSecurity module.
|
||||
|
||||
![](docs/2.png)
|
||||
|
||||
## CVE-2023-23397 Description
|
||||
|
||||
### Summary
|
||||
|
||||
Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft to an untrusted network, such as the Internet. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.
|
||||
|
||||
### Impacted Products
|
||||
|
||||
All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
|
||||
|
||||
### Technical Details
|
||||
|
||||
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server on an untrusted network. No user interaction is required.
|
||||
|
||||
The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.
|
||||
|
||||
**Source**: https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
|
||||
|
||||
## Note
|
||||
|
||||
Tested on:
|
||||
- Windows 11 Eng
|
||||
|
||||
## Dependencies
|
||||
|
||||
* ExecutionPolicy Bypass
|
||||
* PayloadStudio 1.3.1
|
||||
|
||||
## Settings
|
||||
|
||||
In this payload, I created a new firewall rule called "CVE-2023-23397". The direction is set to "Outbound," the action is "Block" (block traffic), the protocol is "TCP," and the remote port is 445 (SMB). Next, the rule is enabled using the Enable-NetFirewallRule cmdlet by specifying the name of the previously created rule.
|
||||
|
||||
Remember that you must run PowerShell with administrative privileges to create and manage firewall rules.
|
||||
|
||||
### Administrative Privileges
|
||||
|
||||
- I used the Payload [Starting a PowerShell with administrator permissions in Windows 10/11](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows) by Hak5 Payloads
|
||||
|
||||
```
|
||||
DELAY 1000
|
||||
GUI x
|
||||
DELAY 500
|
||||
STRING a
|
||||
DELAY 500
|
||||
LEFT_ARROW
|
||||
DELAY 500
|
||||
ENTER
|
||||
```
|
||||
|
||||
### Set the rule
|
||||
|
||||
![](docs/1.png)
|
||||
|
||||
### See the new rule
|
||||
|
||||
![](docs/2.png)
|
||||
|
||||
### Remove the rule
|
||||
|
||||
![](docs/3.png)
|
||||
|
||||
## Credits
|
||||
|
||||
<h2 align="center"> Aleff :octocat: </h2>
|
||||
<div align=center>
|
||||
<table>
|
||||
<tr>
|
||||
<td align="center" width="96">
|
||||
<a href="https://github.com/aleff-github">
|
||||
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
|
||||
</a>
|
||||
<br>Github
|
||||
</td>
|
||||
<td align="center" width="96">
|
||||
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
|
||||
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
|
||||
</a>
|
||||
<br>Linkedin
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
Binary file not shown.
After Width: | Height: | Size: 24 KiB |
Binary file not shown.
After Width: | Height: | Size: 73 KiB |
Binary file not shown.
After Width: | Height: | Size: 26 KiB |
|
@ -0,0 +1,92 @@
|
|||
REM ########################################################
|
||||
REM # |
|
||||
REM # Title : Defend Yourself From CVE-2023-23397 |
|
||||
REM # Author : Aleff |
|
||||
REM # Version : 1.0 |
|
||||
REM # Category : Incident-Response |
|
||||
REM # Target : Windows 10/11 |
|
||||
REM # |
|
||||
REM ########################################################
|
||||
|
||||
REM PlugAndPlay <3
|
||||
|
||||
REM Requirements:
|
||||
REM - ExecutionPolicy Bypass
|
||||
REM - PayloadStudio 1.3.1
|
||||
|
||||
REM Impacted Products:
|
||||
REM - All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
|
||||
|
||||
REM Mitigation:
|
||||
REM - Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
|
||||
REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
|
||||
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
REM VERSION 1.1
|
||||
REM AUTHOR: Korben
|
||||
|
||||
REM_BLOCK DOCUMENTATION
|
||||
Windows fully passive OS Detection and passive Detect Ready
|
||||
Includes its own passive detect ready.
|
||||
Does not require additional extensions.
|
||||
|
||||
USAGE:
|
||||
Extension runs inline (here)
|
||||
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||
boot delay
|
||||
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||
See end of payload for usage within payload
|
||||
END_REM
|
||||
|
||||
REM CONFIGURATION:
|
||||
DEFINE #MAX_WAIT 150
|
||||
DEFINE #CHECK_INTERVAL 20
|
||||
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||
DEFINE #NOT_WINDOWS 7
|
||||
|
||||
$_OS = #NOT_WINDOWS
|
||||
|
||||
VAR $MAX_TRIES = #MAX_WAIT
|
||||
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||
DELAY #CHECK_INTERVAL
|
||||
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||
END_WHILE
|
||||
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||
$_OS = WINDOWS
|
||||
END_IF
|
||||
|
||||
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||
IF ($_OS == WINDOWS) THEN
|
||||
STRING HELLO WINDOWS!
|
||||
ELSE
|
||||
STRING HELLO WORLD!
|
||||
END_IF
|
||||
END_REM
|
||||
END_EXTENSION
|
||||
|
||||
GUI x
|
||||
DELAY 500
|
||||
STRING a
|
||||
DELAY 500
|
||||
LEFTARROW
|
||||
DELAY 500
|
||||
ENTER
|
||||
|
||||
REM Import NetSecurity module
|
||||
STRINGLN Import-Module NetSecurity
|
||||
|
||||
REM Create a new firewall rule for blocking outgoing connections on port 445
|
||||
STRINGLN
|
||||
$rule = New-NetFirewallRule -DisplayName "CVE-2023-23397" `
|
||||
-Direction Outbound `
|
||||
-Action Block `
|
||||
-Protocol TCP `
|
||||
-RemotePort 445
|
||||
END_STRINGLN
|
||||
|
||||
REM Enable firewall rule
|
||||
STRINGLN Enable-NetFirewallRule -Name $rule.Name
|
||||
DELAY 500
|
||||
|
||||
REM See your new rule
|
||||
STRINGLN Get-NetFirewallRule | Where-Object { $_.DisplayName -eq "CVE-2023-23397" }
|
Loading…
Reference in New Issue