Researchers to Release PoC Exploit for Microsoft Outlook RCE Flaw, Patch Now!
Proof-of-concept (PoC) exploit code will be released at “a later date “for a high-severity CVE-2024-21378 (CVSS 8.8) vulnerability allowing remote code execution (RCE) in Microsoft Outlook. It allows attackers to execute malicious code on affected systems, potentially granting them extensive control. Microsoft has released patches, and immediate action is required to mitigate this risk.
Security researchers at NetSPI uncovered this critical flaw, demonstrating how attackers could exploit a weakness in Outlook’s handling of custom form object syncing. Despite previous security measures to limit script execution, this new exploit allows attackers to bypass those safeguards.
The roots of CVE-2024-21378 trace back to a variant of attack documented by Etienne Stalmans at SensePost (Orange CyberDefense) in 2017. Stalmans’ research exposed the potential for leveraging VBScript code inside Outlook form objects for code execution. Although Microsoft responded with a patch to enforce allowlisting for script code in custom forms, the capability for these form objects to sync was not modified, leaving a door ajar for future exploitation.
At the heart of this vulnerability lies the syncing mechanism of form objects in Outlook, specifically through IPM.Microsoft.FolderDesign.FormsDescription objects. These objects carry special properties and attachments that facilitate the “installation” of the form when first used by a client. The exploitation process involves a series of steps, beginning with the instantiation request for a particular message class and culminating in the loading of the form as a COM object. Critical issues identified include arbitrary disk write primitives and the ability to create registry keys for the form, enabling the installation of malicious DLLs and thereby achieving RCE.
The weaponization of CVE-2024-21378 was achieved by modifying Ruler, an Outlook penetration testing tool. NetSPI’s approach involved the use of compromised access tokens to authenticate to Exchange Online and sync a form containing properties to execute an arbitrary COM compliant native DLL. This process, while ingenious, raised operational security concerns, including the requirement for user interaction to trigger the form, monitoring of the well-known FORMS directory, and changes in the registry executed by the Outlook process.
The researcher plans to release a public fork containing the PoC code exploit for CVE-2024-21378. A pull request to the original repo will be submitted soon.
In response to the discovery of CVE-2024-21378, Microsoft has released patches to mitigate the vulnerability. Moreover, Microsoft has published guidance on detecting and remediating Outlook rules and forms abuse, providing defensive teams with the necessary tools to protect their organizations.
