In recent news, Microsoft has fixed a vulnerability that could have been used to bypass defenses the company implemented in March for a critical vulnerability that Russian cyberspies had exploited in the wild. This vulnerability had allowed attackers to steal NTLM hashes just by sending specifically crafted emails to Outlook users and it required no user interaction.

The new vulnerability, tracked as CVE-2023-29324 and patched on Tuesday, is in the Windows MSHTML Platform and can be used to trick a security check used as part of the March Outlook vulnerability patch to think that a path on the internet is a local one. This way, the vulnerability evades trust zone checks. Although Microsoft rated the new vulnerability with 6.5 out of 10 (medium) severity score, the security team from Akamai who found the vulnerability believes it should have been rated higher.

Akamai researchers told CSO that “our research indicates that the new vulnerability re-enables the exploitation of a critical vulnerability that was seen in the wild and used by APT operators. We still believe our finding is of high severity. In the hands of a malicious actor, it could still have the same consequences as the critical original Outlook bug.”

The Outlook vulnerability that was patched in March was rated 9.8 out of 10 on the CVSS scale and allowed attackers to trick the Microsoft Outlook email client as well as Microsoft Exchange and automatically reach out to a remote server on the internet using the SMB protocol. This vulnerability leaked NTLM hashes, which are cryptographic representations of a user’s local Windows credentials, and served as an authentication token to access network resources.

Attackers could try to crack NTLM hashes offline and recover user passwords or use them in attacks known as NTLM relay or pass-the-hash, where the captured NTLM hash is passed to another legitimate service to authenticate as the user. In March, STRONTIUM, Fancy Bear, or APT28, a threat actor believed to be tied to Russia’s military intelligence agency, had already been exploiting the flaw in attacks against government, transportation, energy, and military organizations in Europe.

The exploit itself consisted of leveraging a feature in Outlook that allows users to send email reminders with custom notification sounds. The custom sound was specified as a path using an extended Messaging Application Programming Interface (MAPI) property called PidLidReminderFileParameter. Attackers crafted emails where this property was set to a specifically crafted UNC path that caused the Outlook client to try to load the file from a remote SMB server on the internet, and as part of the SMB handshake, the client would then send the computer’s Net-NTLMv2 hash.

The fix for this issue consisted of using a method from the MSHTML Platform API called ​​IInternetSecurityManager::MapUrlToZone to better validate the UNC path and determine which security zone it belongs to. If the path leads to a location that’s not part of the local, intranet (local network), or trusted zones, then the Outlook client will no longer fetch the custom sound file and will play the default one.

The MSHTML Platform is the HTML rendering engine from Internet Explorer 11 and while IE11 has been deprecated, the engine still exists in the Windows WebBrowser control that’s used by other applications like Outlook to display HTML content.

Akamai’s security researcher Ben Barnea analyzed Microsoft’s March patch. He saw that if MapUrlToZone determines that the UNC path falls into one of the three trusted zones, another function called CreateFile is called to access that path. To bypass the fix, he would need to find a path that MapUrlToZone determines is trusted but which CreateFile still treats as an internet one and tries to access over SMB.

After testing, he found that paths of the format ‘\\.\UNC\\Akamai.com\file.wav” would pass the MapUrlToZone check but would be treated as internet paths by CreateFile. “This issue seems to be a result of the complex handling of paths in Windows,” Barnea said. MapUrlToZone and CreateFile rely on different functions to convert paths.

MapUrlToZone calls the function CreateUri, which incorrectly converts the path to a path that points to a directory called UNC in the root of the C:\ drive, therefore a local directory. However, CreateFile uses a function called RtlpDosPathNameToRelativeNtPathName to convert the path, and this function converts it to \??\UNC\Akamai.com\file.wav. This causes the request to be routed through the Multiple UNC Provider (MUP) driver, which will interpret it as an SMB path to the Akamai.com domain name.

In other words, the Outlook PidLidReminderFileParameter property could be just one way to send paths to a Windows application to fetch, but might not be the only one since this new vulnerability is in MapUrlToZone. According to Microsoft, the mitigations for Microsoft Exchange servers already prevent this bypass, but the patch for the standalone Outlook clients does not. As a result, the company updated its mitigation guidance for the Outlook flaw to require patches for both CVE-2023-29324 and CVE-2023-29324.

It is always important to stay vigilant with updates and patches, especially in today’s modern world. Despite any defenses that companies may put in place, vulnerabilities and cyber attacks can still occur, so it is important to stay informed and take necessary precautions.

Lidhja e burimit