Morphisec researchers have recently uncovered a critical vulnerability in Microsoft Outlook, identified as CVE-2024-30103. It can execute malicious code as soon as an email is opened.
We will explore the technical aspects of CVE-2024-30103, examining how this vulnerability can be exploited and assessing its potential impact on your systems.
This vulnerability presents a significant security threat, allowing remote code execution through maliciously injected Outlook Forms.
Technical Details of CVE-2024-30103
Earlier this year, Netspi discovered a related vulnerability, CVE-2024-21378, which exposed Outlook to authenticated remote code execution via synced form objects.
Morphisec researchers have built upon the findings of CVE-2024-21378 to identify CVE-2024-30103.
This vulnerability exploited a flaw in the allow-listing mechanism that failed to adequately validate form server properties, allowing for unauthorized instantiation of synchronized custom forms.
The vulnerability exploits a flaw in the allow-listing algorithm that fails to address specific character manipulations in registry paths.
Researchers demonstrated how the registry path could be manipulated to bypass security checks and trigger the instantiation of malicious form server executables by using special characters, such as backslashes.
The key to this exploit lies in handling registry keys by the Windows API function RegCreateKeyExA. This function removes trailing backslashes from key names, allowing the creation of nested keys. By exploiting this behavior, attackers can manipulate registry paths to point to malicious executables, which are automatically instantiated when a specially crafted email is opened in Outlook.
This function processes backslashes in a specific way: a trailing backslash in a registry key is removed, meaning “InprocServer32” is treated as “InprocServer32.” This discrepancy can be exploited to bypass the exact matching algorithm, as the algorithm sees the two as different, but the registry treats them as the same.
The researchers found that this behavior could be used to load a malicious form server executable by placing it in the AppData local Forms folder. When a message with a specific message class is sent to a victim, it triggers the form server’s instantiation.
This method can load a malicious DLL within the Outlook process or leverage other COM properties like LocalServer32 to initiate external applications.
The vulnerability allows attackers to execute arbitrary code within the context of the Outlook application. Malicious code, such as a DLL file, can be loaded and executed, potentially leading to data breaches, unauthorized access, and other malicious activities.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
CVE-2024-30103 – Patch
In a recent security update, Microsoft has revised its allow listing matching algorithm to bolster system defenses. The update addresses a vulnerability by changing the way subkeys are matched.
Previously, the algorithm searched for substrings within subkeys, but now it strips trailing backslashes from the subkey before performing an exact match. This change aims to provide a more robust solution to potential security threats, although its long-term effectiveness remains to be seen.
Alongside this update, Microsoft has also made significant enhancements to its denylist. The updated denylist incorporates new techniques designed to prevent remote code execution attacks that could exploit subkey manipulation.
These improvements demonstrate Microsoft’s ongoing commitment to strengthening security measures and protecting users from emerging threats.
While the patch addresses the immediate vulnerability, the evolving nature of security threats means that organizations must remain vigilant. Regular updates and security audits are essential to protect against potential exploits. Users are advised to apply the latest security patches and follow best practices to safeguard their systems against such vulnerabilities.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access