.png)
9 months ago
89 BOOK THIS SPACE FOR AD
ARTICLE AD
In this blog post, we will delve into the details of the recently discovered Microsoft Outlook Remote Code Execution Vulnerability, also known as CVE-2024–21413. This vulnerability, identified by Check Point Research, poses a significant risk to organizations using the Outlook application. We will explore the root cause, its potential impact, and the broader implications of this bug in other software.
Check Point Research has published a comprehensive analysis report on Outlook Attack Vectors, titled “The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors”. Within this report, they unveiled a security issue when Outlook handles specific hyperlinks. It was demonstrated that certain link structures can bypass existing security restrictions, potentially leading to remote code execution and exposing confidential information.
Outlook has specific behaviors when it comes to handling hyperlinks. In their report, Check Point Research reveals that certain protocol prefixes like “http://” or “https://” are recognized as web links, prompting Outlook to open the default browser. Other protocols such as “skype:” trigger a warning message before opening external applications. However, the “file://” protocol raises unique concerns.
The MonikerLink bug, discovered by Check Point Research, takes advantage of a subtle modification in the hyperlink structure. By appending an exclamation mark “!” and additional random characters after the file path, Outlook is bypassing its security measures for remote file access. This bypass allows access to a remote resource controlled by an attacker. Additionally, this bug leverages Component Object Model (COM) concepts to execute arbitrary code.
An attacker can exploit this vulnerability by sending a malicious email containing a crafted Moniker Link. When the victim clicks on the link, their system becomes vulnerable to arbitrary code execution, potentially leading to data theft, malware installation, or complete system takeover.
Below is POC code by Alexander Hagenah
https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
Disclaimer : Remember your responsibility! Explicit permission is required before engaging in any testing or exploitation activities. Respecting user privacy and system security is paramount.
The provided POC code demonstrates how to exploit CVE-2024–21413 using an SMTP email server. Here’s a breakdown of its key functions:
send_email function: This function constructs and sends an email containing a malicious Moniker Link disguised as an image and embedded within HTML code.display_banner function: This function prints a banner displaying information about the exploit and its author.main function: This function parses command-line arguments and calls the send_email function to launch the attack.Usage :
python CVE-2024-21413.py --server "<SMTP server>" --port <SMTP port> --username "<SMTP username>" --password "<SMTP password>" --sender "<sender email>" --recipient "<recipient email>" --url "<link URL>" --subject "<email subject>"This script can send emails that look super legit, even though they might not be, by bypassing those email security things (SPF, DKIM, DMARC). This is cool for testing how secure email systems are, but remember to use it responsibly!
Parameters:
--server: SMTP server hostname or IP.--port: SMTP server port.--username: SMTP server username for authentication.--password: SMTP server password for authentication.--sender: Sender email address.--recipient: Recipient email address.--url: Malicious path to include in the email.--subject: Email subject.This vulnerability exposes two significant risks. Firstly, it leaks local NTLM credential information. By tricking Outlook to access a remote resource, the SMB protocol is used, and the local credentials are inadvertently revealed. Secondly, leveraging the MonikerLink bug can lead to arbitrary code execution. Microsoft Word, as an example, can be manipulated into parsing an attacker-controlled RTF file, potentially causing a code execution vulnerability.
The exploitation of the MonikerLink bug demonstrates how a composed moniker with a FileMoniker and ItemMoniker can lead to a remote code execution scenario. The background process of Microsoft Word, running as a COM server, attempts to open and parse the remote RTF file. This process can bypass Protected View, making it easier for an attacker to gain code execution on the victim’s machine. It is worth noting that the attack surface becomes even more significant as this vulnerability exposes various applications, not just default-installed ones.
Check Point Research assessed the severity of this vulnerability and assigned it a score of 1.0, which is the highest rating. Comparatively, other attack vectors rely on targeted interactions from the victim, such as double-clicking on attachments. However, this remote code execution vulnerability can be triggered by a single click on a link, making it highly exploitable.
Look out for Microsoft a patch for CVE-2024–21413. However, organizations can take several steps to mitigate the risk. Implementing temporary workarounds, such as disabling the affected protocols, can provide immediate relief. Conducting security awareness training for employees, emphasizing the importance of cautious link clicking and staying updated with security patches, is also crucial.
The Microsoft Outlook Remote Code Execution Vulnerability CVE-2024–21413, discovered by Check Point Research, highlights the importance of scrutinizing the security measures within widely-used applications. The MonikerLink bug’s ability to bypass existing restrictions and execute arbitrary code raises concerns for organizations worldwide. While awaiting a patch, vigilance, and proactive measures are necessary to protect against potential exploitation.
For more detailed information and technical analysis, refer to the original research article by Check Point Research and POC code by Alexander Hagenah
Follow me on linkedin
Bengali (Bangladesh) · 
English (United States) ·