Recently, Morphisec researchers discovered a vulnerability in Microsoft Outlook that can lead to remote code execution (RCE). This vulnerability, identified as CVE-2024-38021, highlights a significant security flaw within the Microsoft Outlook application, potentially allowing attackers to execute arbitrary code without requiring prior authentication.

In this blog post, we will provide an in-depth technical analysis of the discovered vulnerability. This blog post details how the vulnerability operates and discusses an associated NTLM credential leak that remains unpatched, posing further security risks.

CVE-2024-21413 Recap

Earlier this year the Check Point research team discovered a vulnerability in Outlook that bypasses the security restriction displayed to users when clicking on a hyperlink pointing to a remote file. This vulnerability leads to a leak of the local NTLM credentials and potentially triggers remote code execution.

The bypass involves adding an exclamation mark to the link, which transforms the file moniker that simply points to a file on a remote SMB share into a generic composite moniker. This composite moniker is composed from a file moniker and an item moniker, altering the way Microsoft Outlook parses the link represented by the string.

Upon closer examination of the Windows APIs involved in the process of parsing and creating the hyperlink object, we notice two significant security warnings within the Microsoft documentation:

1. Hlink!HlinkCreateFromString – Iis an API call responsible for creating a hyperlink object — it mentions that calling this function with a string in the form suggested in the vulnerability as a composite moniker, will pass the hyperlink string to less safe API call – MkParseDisplayName. 
2. Ole32!MkParseDisplayName – Similar to the security warning in the previous method, this warning states that passing a hyperlink string from a non-trusted source is unsafe, and that some moniker implementation might act on the string during parsing.

When a composite moniker is passed to MkParseDisplayName, it invokes the BindtoObject method that involves the relevant com object responsible for handling with the specific file type.

For instance, if the file moniker’s extension is .rtf, it will spawn winword.exe in the background without displaying the UI, access the file pointed to by the file moniker, and attempt to look up the object pointed to by the item moniker.

This leads to two significant issues:

1. File is being accessed – Leads to local NTLM credentials leak.
2. File is being parsed – Chain RCE involved in the parsing routine (i.e. - CVE-2023-21716).

One important note that was revealed during this research is that not only will the exclamation mark trigger this behavior, but other characters like the opening square bracket and colon can as well. 

CVE-2024-21413 Patch Analysis

Microsoft employs hooks to patch certain vulnerabilities related to Microsoft Office applications. For CVE-2024-21413, they have introduced an update to the InitDetours method by hooking the vulnerable MkParseDisplayName functions.

The hook function simply validates the value of the BlockMkParseDisplayNameOnCurrentThreat flag. The purpose of this flag is straightforward: if the flag is set to true, the MkParseDisplayName Windows API will not be invoked, thereby preventing the parsing of potentially malicious moniker strings.

The flag is being set in the Microsoft Office wrapper function that calls the Hlink!HlinkCreateFromString, mso30win32client!MsoHrHlinkCreateFromString will set the flag to true only if the application ID equals Outlook.

Bypass Microsoft’s Patch: CVE-2024-38021

Microsoft patched the function that handles hyperlink creation from string, however, we discovered that when you pass a composite moniker in the image tag URL, it gets parsed using the mso30win32client!HrPmonFromUrl method that is responsible for handling the parsing of URLs within image tags.

The HrPmonFromUrl API does not set the BlockMkParseDisplayNameOnCurrentThread flag, allowing the composite moniker to be processed.

This results in the invocation of the unsafe MkParseDisplayName function, which parses the composite moniker and triggers the same security issues as with the previous vulnerability (CVE-2024-21413), including potential remote code execution and local NTLM credential leak.

CVE-2024-38021 Patch

To patch CVE-2024-38021, Microsoft used the same approach as with the previous vulnerability by utilizing the BlockMkParseDisplayNameOnCurrentThread flag. This time, they updated the HrPmonFromUrl function to set the flag to true. By doing this, any composite moniker passed within an image tag URL will be blocked from invoking the vulnerable MkParseDisplayName function, thereby preventing the exploit.

NTLM Credential Leak - Unpatched

Despite Microsoft's efforts to patch the specific attack vector discovered in CVE-2024-38021, one vulnerability remains unpatched. We discovered that passing a simple file moniker still results in the local NTLM credentials being leaked, indicating that the patch does not fully address all potential security risks associated with moniker handling.

Microsoft's official response is: "We recommend customers follow security best-practices and to not trust content shared from unknown sources. We’ve documented (Block or unblock automatic picture downloads in email messages - Microsoft Support) that Outlook, by default, blocks automatic image downloads from the Internet to safeguard users from potentially harmful attachments or linked documents."

Live Analysis and Q&A

The Morphisec threat researchers that discovered CVE-2024-38021 and CVE-2024-30103 recently presented their technical findings in a live virtual threat briefing. Watch to hear directly from those that discovered these vulnerabilities and learn more about these and other related Microsoft RCE vulnerabilities. 

Conclusion

This blog provides technical insights into the critical RCE in Microsoft Outlook application.  

We recommend that organizations focus on patching Office applications regularly to mitigate exposed risks and maintain visibility on gaps in the application patching process. 

Morphisec researchers are continuing to research newer vulnerabilities in Microsoft Office applications, and CVE-2024-38173 is a result of the same. 

Morphisec’s implementation of AMTD on Microsoft Office applications significantly reduces the attack surface and offers organizations crucial proactive defense against these types of vulnerabilities.  

Application of AMTD creates a Virtual Patching shield protecting applications from exploitation attempts, thus allowing organizations sufficient time to plan and deploy the relevant patches.