This is of course particularly interesting as it implies that the property accepts a filename, which of could potentially be a UNC path in order to trigger the NTLM authentication.įollowing further analysis of the available properties, we also note the PidLidReminderOverride property which is described as follows: This property controls what filename should be played by the Outlook client when the reminder for the mail item is triggered. Review of the audit script reveals it is specifically looking for the PidLidReminderFileParameter property inside the mail items and offers the option to “clean” it if found:ĭiving in to what this property is, we find the following definition: While no particular details were provided, Microsoft did provide a script to audit your Exchange server for mail items that might be being used to exploit the issue. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis. However, no specific details were provided on how to exploit the vulnerability.Īt MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user. The vulnerability is described as follows: Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |