0-Click Outlook RCE Vulnerability Triggered When Email is Clicked – Technical Analysis

NetSPI discovered that Microsoft Outlook is vulnerable to authenticated remote code execution (CVE-2024-21378) due to improper validation of synchronized form objects. 

By manipulating a configuration file, attackers can automatically register and instantiate a custom form, specifying a malicious executable as the form server, which bypasses Outlook‘s faulty allow-listing mechanism, enabling remote code execution on the target system. 

The allow-listing mechanism examines the form server registry key property to prevent the unauthorized automatic execution of synchronized COM form server executables. 

Despite this safeguard, Microsoft documentation acknowledges the possibility of using relative registry paths for form server executable instantiation, which is bypassed by a faulty matching algorithm within the allow-listing validation process, allowing unauthorized execution through relative registry paths. 

bypassing a built-in faulty allow-listing security mechanism

They identified a dual failure in the allow-listing validation algorithm when processing relative paths.

Firstly, the algorithm erroneously employs exact matching instead of substring detection for forbidden registry key values, leading to false negatives. 

Secondly, a divergent control flow within the instantiation process unexpectedly handles relative registry paths, bypassing validation and enabling automatic registration and execution of the form server executable. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Microsoft’s patch addressed the vulnerability by preventing the second stage of the attack and blocking the mechanism that allowed registering relative registry paths, effectively disrupting the intended attack flow.

However, official documentation regarding this change has not been released yet. 

Label 36

Morphisec researchers investigated the RegCreateKeyExA function to bypass allow-listing restrictions in CVE-2024-30103.

Despite Microsoft documentation stating backslashes are prohibited in key names, the function unexpectedly handles them. 

By understanding this behavior and the function’s ability to expand registry paths based on user profiles, researchers were able to craft a modified registry path that circumvented the allow-listing mechanism, leading to successful form server instantiation. 

Structure of the Registry

When processing input parameters, the function removes any trailing backslashes in a consistent manner to ensure that the handling is consistent every time. 

Additionally, it interprets mid-key backslashes as hierarchical separators, dynamically constructing nested key structures up to 32 levels deep, whose automatic nesting mechanism enhances data organization and retrieval capabilities within the function’s scope. 

treated the same as a parameter without a trailing backslash.

A trailing backslash in a registry key intentionally mismatches the expected key, preventing malicious software execution.

However, the registry entry is still created without the backslash, pointing to a malicious executable synced via Exchange. 

This executable is strategically placed in a well-defined AppData folder and associated with a specific message class.

Incoming messages matching this class trigger the instantiation of the form server, loading the malicious DLL within the Outlook process. 

While the example uses InprocServer32, other COM auto-instantiation properties can achieve similar outcomes with external processes. 

registry key

Microsoft has patched CVE-2024-30103 by modifying the allow listing algorithm to perform exact matching on subkeys after removing trailing backslashes, addressing a previous substring matching vulnerability. 

The deny list has been expanded to counter new potential exploitation techniques targeting subkey manipulation, though the effectiveness of these measures remains to be fully evaluated. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

1 hour ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

2 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

2 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago