Merge pull request #354 from aleff-github/patch-68

Defend Yourself From CVE-2023-23397
pull/464/head
Peaks 2024-07-09 09:45:15 -04:00 committed by GitHub
commit 4fb883c8ee
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 207 additions and 0 deletions

View File

@ -0,0 +1,115 @@
# Defend Yourself From CVE-2023-23397
This script allows you to set the Firewall rule that will allow you to defend against CVE-2023-23397.
**Category**: Incident-Response
*I decided to set Credentials as the category because of the type of CVE.*
## Index
- [Defend Yourself From CVE-2023-23397](#defend-yourself-from-cve-2023-23397)
- [Payload Description](#payload-description)
- [CVE-2023-23397 Description](#cve-2023-23397-description)
- [Summary](#summary)
- [Impacted Products](#impacted-products)
- [Technical Details](#technical-details)
- [Note](#note)
- [Dependencies](#dependencies)
- [Settings](#settings)
- [Administrative Privileges](#administrative-privileges)
- [Set the rule](#set-the-rule)
- [See the new rule](#see-the-new-rule)
- [Remove the rule](#remove-the-rule)
- [Credits](#credits)
## Payload Description
This script allows you to set the Firewall rule that will allow you to defend against CVE-2023-23397.
Open a PowerShell, set the Firewall rule trough NetSecurity module.
![](docs/2.png)
## CVE-2023-23397 Description
### Summary
Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft to an untrusted network, such as the Internet. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.
### Impacted Products
All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
### Technical Details
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server on an untrusted network. No user interaction is required.
The threat actor is using a connection to the remote SMB server sends the users NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.
**Source**: https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
## Note
Tested on:
- Windows 11 Eng
## Dependencies
* ExecutionPolicy Bypass
* PayloadStudio 1.3.1
## Settings
In this payload, I created a new firewall rule called "CVE-2023-23397". The direction is set to "Outbound," the action is "Block" (block traffic), the protocol is "TCP," and the remote port is 445 (SMB). Next, the rule is enabled using the Enable-NetFirewallRule cmdlet by specifying the name of the previously created rule.
Remember that you must run PowerShell with administrative privileges to create and manage firewall rules.
### Administrative Privileges
- I used the Payload [Starting a PowerShell with administrator permissions in Windows 10/11](https://github.com/hak5/usbrubberducky-payloads/tree/master/payloads/library/execution/Starting_a_PowerShell_with_administrator_permissions_in_Windows) by Hak5 Payloads
```
DELAY 1000
GUI x
DELAY 500
STRING a
DELAY 500
LEFT_ARROW
DELAY 500
ENTER
```
### Set the rule
![](docs/1.png)
### See the new rule
![](docs/2.png)
### Remove the rule
![](docs/3.png)
## Credits
<h2 align="center"> Aleff :octocat: </h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://github.com/aleff-github">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/github.png?raw=true width="48" height="48" />
</a>
<br>Github
</td>
<td align="center" width="96">
<a href="https://www.linkedin.com/in/alessandro-greco-aka-aleff/">
<img src=https://github.com/aleff-github/aleff-github/blob/main/img/linkedin.png?raw=true width="48" height="48" />
</a>
<br>Linkedin
</td>
</tr>
</table>
</div>

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 73 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 26 KiB

View File

@ -0,0 +1,92 @@
REM ########################################################
REM # |
REM # Title : Defend Yourself From CVE-2023-23397 |
REM # Author : Aleff |
REM # Version : 1.0 |
REM # Category : Incident-Response |
REM # Target : Windows 10/11 |
REM # |
REM ########################################################
REM PlugAndPlay <3
REM Requirements:
REM - ExecutionPolicy Bypass
REM - PayloadStudio 1.3.1
REM Impacted Products:
REM - All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
REM Mitigation:
REM - Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
REM Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
EXTENSION PASSIVE_WINDOWS_DETECT
REM VERSION 1.1
REM AUTHOR: Korben
REM_BLOCK DOCUMENTATION
Windows fully passive OS Detection and passive Detect Ready
Includes its own passive detect ready.
Does not require additional extensions.
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay
$_OS will be set to WINDOWS or NOT_WINDOWS
See end of payload for usage within payload
END_REM
REM CONFIGURATION:
DEFINE #MAX_WAIT 150
DEFINE #CHECK_INTERVAL 20
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
DEFINE #NOT_WINDOWS 7
$_OS = #NOT_WINDOWS
VAR $MAX_TRIES = #MAX_WAIT
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
DELAY #CHECK_INTERVAL
$MAX_TRIES = ($MAX_TRIES - 1)
END_WHILE
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
$_OS = WINDOWS
END_IF
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
IF ($_OS == WINDOWS) THEN
STRING HELLO WINDOWS!
ELSE
STRING HELLO WORLD!
END_IF
END_REM
END_EXTENSION
GUI x
DELAY 500
STRING a
DELAY 500
LEFTARROW
DELAY 500
ENTER
REM Import NetSecurity module
STRINGLN Import-Module NetSecurity
REM Create a new firewall rule for blocking outgoing connections on port 445
STRINGLN
$rule = New-NetFirewallRule -DisplayName "CVE-2023-23397" `
-Direction Outbound `
-Action Block `
-Protocol TCP `
-RemotePort 445
END_STRINGLN
REM Enable firewall rule
STRINGLN Enable-NetFirewallRule -Name $rule.Name
DELAY 500
REM See your new rule
STRINGLN Get-NetFirewallRule | Where-Object { $_.DisplayName -eq "CVE-2023-23397" }