'Cannot send this meeting request.' when sending appointment msg file in Outlook 2016 and Outlook from Microsoft 365 Apps for enterprise

Sicos1977 / MsgKit

A .NET library to make MSG files without the need for Outlook

206 stars 56 forks source link

'Cannot send this meeting request.' when sending appointment msg file in Outlook 2016 and Outlook from Microsoft 365 Apps for enterprise #94

Closed snieradkiewicz closed 1 year ago

snieradkiewicz commented 1 year ago

Upon generatin appointment from example and then openning it in outlook and clicking [Send] recieving and error message Cannot send this meeting request. From outlook logs we can see an event:

Microsoft Outlook Cannot send this meeting request. P1: 300972 P2: 16.0.16130.20218 P3: P4: 0x80004005

Creating appintment as a draft returns same error message. Tested under different mail servers.

castexyz commented 1 year ago

Same issue here

Sicos1977 commented 1 year ago

I have to dive a little bit deeper into this but first I have some other issues to solve for my #msgreader project

danaug23 commented 1 year ago

I also ran into the same issue. Thanks

AntonVonDelta commented 1 year ago

Is this library safe? Who introduced the vulnerability?

pwnf commented 1 year ago

I suspect folks are trying to use this library to exploit CVE-2023-23397 as per https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/.

This library is not the vulnerability rather the blog I’ve linked suggests that the “PidLidReminderFileParameter” parameter in outlook meeting objects (and probably other outlook objects that accept a URI controllable by the sender) are the vulnerability. I suspect there’s been an influx of people trying to use this library to exploit the bug. There’s now a much better POC from MDSec written in PowerShell and in any case Microsoft has released a couple of patches.

Sicos1977 commented 1 year ago

It's the same with car manufactures. If somebody uses a car to kill somebody then it is not the manufactures fault but the person that is driving the car. This also goes for much other things.

I originally made this library so that I could make MSG files without needing Outlook on a server (wich is not a good idea). That people use it to try to steal NTLM hashes is not something that is my fault.

AntonVonDelta commented 1 year ago

Thanks for the reply. I freaked out when I saw the big warning on the front page. I thought someone managed to sneak some code inside.

allanstohn commented 12 months ago

I just ran into the same issue as the original topic in this thread. Cannot send this meeting request. I tried to set appointment draft both to true and false. Any ideas, why this is happening.?

Found this thread - https://twitter.com/wdormann/status/1636114137670361091 But no solution.