Why Microsoft just patched a patch that squashed an under-attack Outlook bug
Let's take a quick dive into Windows API
Microsoft in March fixed an interesting security hole in Outlook that was exploited by miscreants to leak victims' Windows credentials. This week the IT giant fixed that fix as part of its monthly Patch Tuesday update.
To remind you of the original bug, tracked as CVE-2023-23397: it was possible to send someone an email that included a reminder with a custom notification sound. That custom sound could be specified as a URL path within the email.
If a miscreant carefully crafted a mail with that sound path set to a remote SMB server, when Outlook fetched and processed the message, and automatically followed the path to the file server, it would hand over the user's Net-NTLMv2 hash in an attempt to log in. That would effectively leak the hash to an outside party, who could potentially use the credential to access other resources as that user, allowing the intruder to explore internal network systems, steal documents, impersonate their victim, and so on.
The patch from a couple of months ago made Outlook use the Windows function MapUrlToZone to inspect where a notification sound path was really pointing, and if it was out to the internet, it would be ignored and the default sound would play. That should have stopped the client connecting to a remote server and leaking hashes.
It turned out this MapUrlToZone-based protection could be bypassed, prompting Microsoft to have to shore up its March fix in May. The original bug was being exploited in the wild, and so when the patch for it landed, it got everyone's attention. And that attention helped reveal that the fix was incomplete.
And if it was left incomplete, whoever was abusing the original bug could use the other vulnerability to get around the original patch. So to be clear, it's not that the fix for CVE-2023-23397 didn't work – it did – it just wasn't enough to totally shut the custom sound file hole.
"This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses," said Akamai's Ben Barnea, who spotted and reported the MapUrlToZone bypass.
"Specifically for this vulnerability, the addition of one character allows for a critical patch bypass."
Crucially, while the first bug was in Outlook, this second issue with MapUrlToZone lies in Microsoft's implementation of that function in the Windows API. That means the second patch is not for Outlook but for the underlying MSHTML platform in Windows, and all versions of the OS are affected by that bug, Barnea wrote. The problem is that a maliciously constructed path can be passed to MapUrlToZone so that the function determines the path is not to the external internet when it really is when the application comes to open the path.
According to Barnea, emails can contain a reminder that includes a custom notification sound specified as a path using an extended MAPI property using PidLidReminderFileParameter.
"An attacker can specify a UNC path that would cause the client to retrieve the sound file from any SMB server," he explained. "As part of the connection to the remote SMB server, the Net-NTLMv2 hash is sent in a negotiation message."
That flaw was bad enough to earn a CVSS severity rating of 9.8 out of 10 and had been exploited by a Russia-linked crew for about a year by the time the fix was issued in March. The cyber-gang used it in attacks against organizations in European governments as well as transportation, energy, and military spaces.
- Apple pushes first-ever 'rapid' patch – and rapidly screws up
- It's official: BlackLotus malware can bypass Secure Boot on Windows machines
- Mirai botnet loves exploiting your unpatched TP-Link routers, CISA warns
To find a bypass for Microsoft's original patch, Barnea wanted to craft a path that MapUrlToZone would label as local, intranet, or a trusted zone – meaning Outlook could safely follow it – but when passed to the CreateFile function to open, would make the OS go connect to a remote server.
Eventually he found that miscreants could change the URL in reminder messages, which duped MapUrlToZone checks into seeing remote paths as local ones. And it could be done with a single keystroke, adding a second '\' to the universal naming convention (UNC) path.
"An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server," Barnea wrote. "This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction."
He added that the problem appears to be the "result of the complex handling of paths in Windows. … We believe this kind of confusion can potentially cause vulnerabilities in other programs that use MapUrlToZone on a user-controlled path and then use a file operation (such as CreateFile or a similar API) on the same path."
The flaw, CVE-2023-29324, has a CVSS severity score of 6.5. Microsoft is recommending organizations fix both that vulnerability – a patch was issued as part of Patch Tuesday this week – as well as the earlier CVE-2023-23397.
Barnea wrote that he hoped Microsoft will remove the custom reminder sound feature, saying it poses more security risks than any potential value to users.
"It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities," he wrote. "Considering how ubiquitous Windows is, eliminating an attack surface as ripe as this is could have some very positive effects." ®