In February 2024, Microsoft released a patch for CVE-2024-21378, a vulnerability in Microsoft Outlook that allowed an attacker to execute arbitrary code on user’s computer when the user opened a malicious email. The vulnerability was reported by Nick Landers with NetSPI.
A month later, NetSPI published an analysis that detailed this vulnerability and provided a proof-of-concept to demonstrate how an attacker could exploit an Exchange server to achieve arbitrary code execution.
The Vulnerability
The vulnerability affects Outlook custom forms. These forms provide advanced users with a way to modify existing form templates (email, appointment, note, etc.) or create new ones from scratch.
Long story short, a malicious Outlook form could be installed on an Exchange server and automatically downloaded to user’s Outlook by a carefully crafted email message. Upon downloading, the malicious form would register a DLL downloaded with the form as an in-process server to achieve its automatic execution. While Outlook developers were apparently aware of this trick and implemented a security check to prevent Outlook forms from creating a new relative InprocServer32 registry path, NetSPI researchers were able to bypass it by providing an absolute path instead.
NetSPI also added support for this vulnerability to SensePost‘s tool Ruler. If the attacker was able to capture user’s Device Code authentication token, they could remotely authenticate to an Exchange server and upload their custom form with executable/DLL. Outlook automatically syncs with the Exchange server, and all the attacker would need to do to trigger the exploit was to send the user an mail with the malicious form. When the user opened such email, the vulnerability would get triggered and attacker’s code started executing in user’s Outlook.exe process.
Microsoft’s Patch
Microsoft patched this issue by removing the branch of code that parses and processes absolute registry paths, so it’s no longer possible to bypass the deny-list that blocks InprocServer32 and other similar keywords.
Our Patch
While Microsoft provided an official patch for supported Office versions, many users are still running Office 2010 and 2013, which we had security-adopted. We confirmed that this issue also affect both these Office versions, and therefore created a patch for them.
Our patch is in logically identical to Microsoft’s, bypassing the vulnerable code using a single JMP instruction.
The following video demonstrates our patch with Outlook 2013. Initially, 0patch is disabled and attacker’s malicious email is already waiting in user’s inbox to be opened. As soon as the user clicks on the email, attacker’s code gets executed. In contrast, with 0patch enabled, opening the malicious email results in an error message, and attacker’s code does not get executed.
Micropatch Availability
Micropatches were written for the following versions of Microsoft Office with all available updates installed:
- Office 2010 (PRO or Enterprise license required)
- Office 2013 (PRO or Enterprise license required)
Micropatches have already been distributed to, and applied on all computers with registered and licensed 0patch Agents, unless Enterprise group settings prevent that.
Vulnerabilities like this one get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things.
If you’re new to 0patch, create a free account
in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.
We would like to thank Nick Landers and Rich Wolferd with NetSPI for sharing details and proof-of-concept, which made it possible for us to create a
micropatch for this issue.
To learn more about 0patch, please visit our Help Center.