0-Click Outlook RCE Vulnerability Triggered When Email is Clicked – Technical Analysis

NetSPI discovered that Microsoft Outlook is vulnerable to authenticated remote code execution (CVE-2024-21378) due to improper validation of synchronized form objects. 

By manipulating a configuration file, attackers can automatically register and instantiate a custom form, specifying a malicious executable as the form server, which bypasses Outlook‘s faulty allow-listing mechanism, enabling remote code execution on the target system. 

The allow-listing mechanism examines the form server registry key property to prevent the unauthorized automatic execution of synchronized COM form server executables. 

Despite this safeguard, Microsoft documentation acknowledges the possibility of using relative registry paths for form server executable instantiation, which is bypassed by a faulty matching algorithm within the allow-listing validation process, allowing unauthorized execution through relative registry paths. 

They identified a dual failure in the allow-listing validation algorithm when processing relative paths.

Firstly, the algorithm erroneously employs exact matching instead of substring detection for forbidden registry key values, leading to false negatives. 

Secondly, a divergent control flow within the instantiation process unexpectedly handles relative registry paths, bypassing validation and enabling automatic registration and execution of the form server executable. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Microsoft’s patch addressed the vulnerability by preventing the second stage of the attack and blocking the mechanism that allowed registering relative registry paths, effectively disrupting the intended attack flow.

However, official documentation regarding this change has not been released yet. 

Morphisec researchers investigated the RegCreateKeyExA function to bypass allow-listing restrictions in CVE-2024-30103.

Despite Microsoft documentation stating backslashes are prohibited in key names, the function unexpectedly handles them. 

By understanding this behavior and the function’s ability to expand registry paths based on user profiles, researchers were able to craft a modified registry path that circumvented the allow-listing mechanism, leading to successful form server instantiation. 

When processing input parameters, the function removes any trailing backslashes in a consistent manner to ensure that the handling is consistent every time. 

Additionally, it interprets mid-key backslashes as hierarchical separators, dynamically constructing nested key structures up to 32 levels deep, whose automatic nesting mechanism enhances data organization and retrieval capabilities within the function’s scope. 

A trailing backslash in a registry key intentionally mismatches the expected key, preventing malicious software execution.

However, the registry entry is still created without the backslash, pointing to a malicious executable synced via Exchange. 

This executable is strategically placed in a well-defined AppData folder and associated with a specific message class.

Incoming messages matching this class trigger the instantiation of the form server, loading the malicious DLL within the Outlook process. 

While the example uses InprocServer32, other COM auto-instantiation properties can achieve similar outcomes with external processes. 

Microsoft has patched CVE-2024-30103 by modifying the allow listing algorithm to perform exact matching on subkeys after removing trailing backslashes, addressing a previous substring matching vulnerability. 

The deny list has been expanded to counter new potential exploitation techniques targeting subkey manipulation, though the effectiveness of these measures remains to be fully evaluated. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download