Researchers discovered a new RCE vulnerability in the Windows API function CreateUri, introduced as a patch for CVE-2023-23397, allowing zero-click RCE exploitation, unlike the previous two-vulnerability chain required for the same outcome, which affects not just Outlook but also File Explorer, potentially increasing the attack surface.
Microsoft patched a critical Outlook vulnerability (CVE-2023-23397) exploited by Forest Blizzard in March 2023, which allowed attackers to trick Outlook clients into connecting to their server, revealing the victim’s NTLM credentials.
In December, Microsoft and the Polish Cyber Command identified further exploitation attempts and later discovered two bypasses for the patch, along with a sound parsing vulnerability.
Chaining these vulnerabilities could potentially allow full remote code execution (RCE) on vulnerable Outlook clients without any user interaction.
A security patch for the CVE-2023-23397 vulnerability introduced a call to MapUrlToZone in Outlook to prevent loading remote reminder sounds.
While it fixed the initial exploit, it created a new vulnerability in MapUrlToZone itself.
By controlling the path passed to MapUrlToZone, attackers can potentially exploit the CrackUrlFile function within CreateUri, a function previously compromised in another attack, which parses both URLs and Windows file paths, making it a target for path-based attacks.
The CrackUrlFile function analyzes a provided path and determines whether it’s a URL or a Windows path.
If it’s a URL, a copy is created and converted to a Windows path using PathCreateFromUrlW.
The working buffer is then manipulated by advancing the pointer depending on path formats (e.g., local device path, UNC path).
In July 2023, new code unrelated to previous bypasses was observed in CrackUrlFile during our patch reverse engineering process.
The function contains a vulnerability due to improper memory management and during path parsing, the code checks for drive paths and rooted paths.
If a drive path is identified, a pointer is advanced to the path component and saved.
Later, the original buffer pointer is retrieved and freed if dynamically allocated, as since it was overwritten with the advanced pointer, the freed memory refers to a different location than originally allocated, potentially allowing an attacker to manipulate memory allocation.
To exploit this, a file scheme URL with a UNC path prefixed with “C:” (representing a drive) needs to be provided.
The researchers at Akamai investigated the possibility of triggering the vulnerability through Windows Explorer by creating a shortcut file (LNK) that pointed to the vulnerable path and when the victim opens the folder containing the shortcut, Explorer encounters the vulnerability and crashes.
It offers a proof-of-concept (PoC) file in their security repository that can be used to test for the vulnerability, but cautions users to carefully understand the risks before using it.
A bypass for the MapUrlToZone function in May 2023, recommending its removal due to the increased attack surface by arguing that allowing remote attackers to exploit parsing vulnerabilities without sandboxing posed a significant security risk.
The subsequent investigation identified two bypasses, a sound parsing vulnerability, and ultimately, a Windows path parsing memory corruption issue, highlighting the importance of examining security patches for potential bypasses, as there’s a high likelihood of more vulnerabilities existing in MapUrlToZone.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.