CVE-2024–21413 Project: Exploiting Microsoft Outlook’s Vulnerability — A Comprehensive Penetration Testing GuideWalkthrough
A Complete Guide to Exploiting and Defending Against CVE-2024–21413
In today’s cyber world, vulnerabilities like CVE-2024–21413 pose serious risks by exposing sensitive systems. This guide explains how to identify, exploit, and most importantly, protect against CVE-2024–21413.
· CVE-2024–21413 is rated as critical because it allows attackers to steal sensitive information and take control of a system remotely, meaning it requires immediate attention. It lets attackers steal important information, like NTLM credentials, and take control of a computer from a distance (Remote Code Execution — RCE). These kinds of weaknesses can lead to major damage, so it’s important to deal with them right away.
· The 9.8 CVSS score was given for several reasons:
Remote Code Execution (RCE): This vulnerability allows attackers to run harmful code on the victim’s computer without needing to be physically present. This is one of the most severe types of attacks.
· Low Attack Complexity: The attack is easy to perform. The attacker just needs to send a malicious link in an email, and the victim may click on it. It doesn’t require advanced skills.
· User Interaction: The user needs to click the link, but most users don’t suspect links that come from emails they trust, so the attack can work easily.
· Impact: The attack is very serious because it can result in both stealing credentials (NTLM credentials) and running harmful code, giving the attacker full control over the victim’s system.
· Exploitation in the Wild: This vulnerability is zero-day, meaning attackers were already using it before it was discovered by security professionals, making it even more dangerous.
Step 1: The CVE and Defining the Report Goals
- What is the CVE?
CVE-2024–21413
On February 13th, 2024, Microsoft announced a vulnerability in Microsoft Outlook that enables Remote Code Execution (RCE) and the potential leak of user credentials, designated as CVE-2024–21413. The flaw was identified by Haifei Li from Check Point Research, and it revolves around how Outlook handles a specific type of hyperlink known as a Moniker Link.
The vulnerability can be exploited when an attacker sends an email containing a malicious Moniker Link. If the recipient clicks on this link, Outlook unintentionally transmits the user’s NTLM credentials to the attacker. This can result in both credential theft and potential remote code execution on the victim’s system. The root cause lies in the improper handling of URLs within Outlook’s Moniker Link architecture, which allows sensitive information to be exposed under certain conditions.
This underscores the critical need to enhance the security of URL handling in applications, especially those involving user authentication, to prevent unauthorized access and exploitation.
- What are Monikers?
Moniker Link is a technical term that refers to a part of the OLE (Object Linking and Embedding) system in Windows, which allows different applications to link and embed objects or resources, like files or documents, in a flexible way. A Moniker Link is a special type of link that identifies and connects to objects or resources, making it possible for applications to access and use them easily.
Monikers act like handles or references that point to a specific resource, enabling applications to retrieve or interact with that resource. The Moniker system also supports asynchronous linking, which is useful when accessing resources over slower networks.
A Moniker Link is used in Windows to connect different files or resources, like a shortcut. It helps programs find and open things like documents or applications. The problem in this case happens because the link is not handled correctly, and it can send the wrong information, like passwords, to an attacker without the user knowing.
3. Goals of the Report
· Provide a detailed description of the vulnerability.
· Assess the potential impact: Identify the affected systems and explore the consequences of an exploit.
· Offer fixes and recommendations: Outline strategies to remediate the vulnerability and propose measures to prevent future occurrences.
Step 2: Collecting Information About the Vulnerability
1. Important questions to ask:
· How does the vulnerability function?
· Has this vulnerability been used in real-world attacks?
· What systems and software versions are impacted by this vulnerability?
· What are the specific techniques attackers use to exploit this vulnerability?
· What can be done to prevent such vulnerabilities in the future?
2. Where to find information?
Microsoft: Detailed information about URL Monikers, their role in OLE architecture, and security updates related to CVE-2024–21413 can be found in Microsoft’s official documentation
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413
https://learn.microsoft.com/en-us/windows/win32/com/url-monikers
· NVD (National Vulnerability Database): Provides official details about the vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-21413
· Checkpoint: Research articles discussing the risks associated with the Moniker Link vulnerability in Microsoft Outlook, available here:
https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/
· CVE.org: The official CVE record provides an overview and public disclosure information
https://www.cve.org/CVERecord?id=CVE-2024-21413
· GitHub Insights and Resources: Technical breakdowns, and repositories concerning the vulnerability:
https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
· CERT-EU: Security advisories related to CVE-2024–21413 are available through CERT-EU
https://cert.europa.eu/publications/security-advisories/2024-019/
· SOCRadar.io: Provides insights into the real-world exploitation of the vulnerability, including its sale on hacker forums
· BleepingComputer.com: This site covers real-world NTLM hash-stealing attacks using Microsoft Outlook vulnerabilities and provides additional context for how such vulnerabilities have been used in phishing attacks
· Proofpoint.com: This revised section offers easier-to-understand details about the attack described.
https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft
3. Tools used:
· Nmap:I chose to use Nmap because it is an effective tool for scanning networks and identifying open services.
· Responder: It is a great tool for capturing NTLM credentials when the target tries to access network resources.
Both tools are well-suited for this test because they help reveal services that attackers might exploit.
Step 3: Analyzing the Data
1. How does the vulnerability work?
CVE-2024–21413, known as the Moniker Link vulnerability, is particularly dangerous because it bypasses the Office Protected View feature. Protected View is designed to open potentially unsafe files in a secure, read-only environment, preventing them from affecting the system. However, by exploiting this vulnerability, attackers can bypass these protections, allowing unauthorized access to sensitive information or even taking control of the victim’s system.
2. What systems are affected?
The vulnerability affects versions of Moniker Link prior to 2.5.0. If attackers successfully exploit the flaw, they can take over the affected system, steal data, or even disable the system entirely.
3. Which software versions are vulnerable?
Multiple versions of Microsoft Outlook are affected by this vulnerability, including:
· Microsoft Office 2016
· Microsoft Office 2019
· Microsoft Office 2021
· Microsoft 365 Apps
Both 32-bit and 64-bit editions of these software versions are vulnerable.
Step 4: Demonstrating How the Attack Works
- Setting up a vulnerable environment on VMware a Windows 10 virtual machine with Office 2021 used as an exploit tool
Target IP — 192.168.19.11
Attacker IP — 192.168.19.12
- Scanning for open ports using Nmap
nmap -p- -sV <Target_IP>
Findings:
The Nmap scan conducted on IP address 192.168.19.11 revealed several open ports and services running on the system, indicating that it is active and reachable. The system appears to be a Windows machine, possibly running in a virtual environment, and has various Microsoft services running.
Open Ports and Services:
1. Port 80 (HTTP):
· Service: Microsoft IIS HTTPD 10.0.
· Details: This port is used for HTTP communication. The system is running Microsoft IIS 10.0, a web server platform that could be hosting websites or applications.
2. Port 1801 (MSMQ):
· Service: Microsoft Message Queuing (MSMQ).
· Details: MSMQ is used for message-based communication between applications. It helps ensure the delivery of messages in distributed systems.
3. Ports 2103, 2105, 2107 (RPC):
· Service: Microsoft Windows RPC.
· Details: These ports are related to Microsoft’s Remote Procedure Call (RPC) services, which are used for communication between programs running on different computers in a network.
4. Port 5357 (HTTPAPI):
· Service: Microsoft HTTPAPI HTTPD 2.0 (SSDP/UPnP).
· Details: This port is used for Simple Service Discovery Protocol (SSDP) and Universal Plug and Play (UPnP), allowing devices to discover each other on the network.
5. Port 7680:
· Service: Pandora Pub.
· Details: This is a less common service. It may be a custom application running on the system.
6. Port 49666 (RPC):
· Service: Microsoft Windows RPC.
· Details: This port is also associated with RPC services.
Operating System and Environment:
· Operating System: The scan suggests that the system is running Microsoft Windows based on the open services.
· Virtual Machine: The MAC address (00:0C:29:66:E5:5F) indicates that the system is likely a VMware virtual machine.
Conclusion:
The system at IP 192.168.19.11 is a Windows machine running a variety of Microsoft services, including IIS for web hosting, MSMQ for messaging, and multiple RPC services. The presence of UPnP services and a custom service on port 7680 indicates the system may also be used for device discovery or other specific functions.
3. Scanning for vulnerabilities
nmap - script vuln <Target_IP>
Findings:
The Nmap scan for the system at 192.168.19.11 revealed several open ports and services running on the system. No major vulnerabilities were detected in the HTTP service. The scan suggests the system is running on a VMware virtual machine, based on the MAC address.
Open Ports and Services:
Port 80 (HTTP):
· Service: HTTP.
· Vulnerability Check:
· No CSRF vulnerabilities found: Cross-Site Request Forgery (CSRF) checks were done, and no issues were detected.
· No DOM-based XSS vulnerabilities found: The system was checked for Cross-Site Scripting (XSS) vulnerabilities related to the DOM, and no problems were found.
· No stored XSS vulnerabilities found: The scan also checked for stored XSS vulnerabilities, and none were detected.
Port 1801 (MSMQ):
· Service: Microsoft Message Queuing (MSMQ).
· Details: This service allows messages to be queued and handled by the system, ensuring communication between different systems or components.
Port 2103 (Zephyr-CLT):
· Service: Zephyr-Client.
· Details: This port is associated with the Zephyr client, a tool often used in distributed systems.
Port 2105 (Eklogin):
· Service: Eklogin.
· Details: This port is likely used for authentication or secure login-related services.
Port 2107 (MSMQ Management):
· Service: MSMQ Management.
· Details: This port is used to manage Microsoft Message Queuing (MSMQ), allowing administrators to control the message queue services.
Port 5357 (WS-Discovery):
· Service: WS-Discovery (WSDAPI).
· Details: This port is used for device discovery via Web Services Dynamic Discovery (WS-Discovery), allowing devices on the same network to locate each other.
Additional Information:
· MAC Address: The MAC address 00:0C:29:6E:55
indicates that the system is likely a VMware virtual machine.
Conclusion:
The scan of the IP 192.168.19.11 shows that the system is running a number of Microsoft-related services, such as MSMQ and WS-Discovery. There are no major vulnerabilities detected in the HTTP service, including no CSRF or XSS issues. Overall, the system seems to be functioning correctly without significant security issues based on this scan.
4. Advanced vulnerability scan
sudo nmap - script nmap-vulners -sV <Target_IP>Findings:
The Nmap scan conducted on 192.168.19.11 shows that the host is online and has several open ports and services running. The system appears to be running in a VMware virtual environment, based on the MAC address.
Open Ports and Services:
Port 80 (HTTP):
· Service: HTTP.
· Details: The system is running a web server on this port, which allows communication over HTTP.
1. Port 1801 (MSMQ):
· Service: Microsoft Message Queuing (MSMQ).
· Details: This service allows the system to queue and process messages for distributed applications.
Port 2103 (Zephyr-CLT):
· Service: Zephyr Client.
· Details: This port is likely being used for communication by a Zephyr client, which is often used in distributed systems.
Port 2105 (Eklogin):
· Service: Eklogin.
· Details: This port is related to authentication or secure login functionality.
2. Port 2107 (MSMQ Management):
· Service: Microsoft Message Queuing Management.
· Details: This service allows the system to manage its MSMQ queues and settings.
3. Port 5357 (WSDAPI):
· Service: Web Services on Devices API (WSDAPI).
· Details: This port is used for device discovery via web services, allowing other devices on the network to find and communicate with this system.
Additional Information:
· MAC Address: The MAC address 00:0C:29:6E:55
suggests the system is running in a VMware virtual machine.
Conclusion:
The system at 192.168.19.11 is running several services, including a web server, message queuing services, and device discovery services. These open ports indicate that the system is actively communicating on the network and running various Microsoft services. The scan did not reveal any immediate vulnerabilities.
The open ports I found, such as port 80 (HTTP) and port 1801 (MSMQ), indicate potential risks. For example, port 80 suggests the machine is running a web server, which could be exploited. Port 1801 shows that Microsoft Message Queuing (MSMQ) is in use, which might allow attackers to interfere with message delivery between systems. These services represent possible entry points for attackers.
· To demonstrate how the vulnerability CVE-2024–21413 works, we need to create a scenario where the attacker sends a malicious link (Moniker Link) to the target through an email. The target will receive this email and might click on the link. If they do, their system can be exposed to the attacker.
· What we want to achieve:
The main goal is to send an email with a dangerous link to the victim. When they click on the link, it will make their system send important details (like their NTLM credentials) to the attacker’s machine. These credentials can then be used by the attacker to steal information or even take control of the target’s computer.
4. Crafting the malicious email: Creating an email that has a Moniker Link in it. This is a type of link that Outlook doesn’t handle properly. The email will look normal, but the link inside it is harmful.
5. Making the link dangerous: The Moniker Link in the email will contain a hidden payload. This payload is a piece of code that can force the target’s Outlook program to send back sensitive data, like their login details.
This is a social engineering trick: The attacker sends the email in such a way that the target thinks it’s safe to click.
Sending the email to the target:
Once the email is ready, the attacker sends it to the target (The machine with IP address 192.168.19.11).
Tools Used for the Exploit:
· Outlook Email Client: The victim will receive the malicious email in Microsoft Outlook, which is vulnerable to this type of attack if it’s not updated.
· Responder Tool on the Attacker’s Machine: The attacker will use a tool called Responder on their machine to listen for any responses from the target. Responder is a tool that can capture NTLM credentials when the target’s system sends them.
6. After Sending the Email: Running Responder on attacker’s machine (Kali Linux) to listen for the credentials from the victim’s machine.
sudo responder -I eth0
Step 5: Verifying the exploit works
Capturing the Credentials
Now that Responder is running, is ready to capture the credentials from the victim’s machine (192.168.19.11).
When the victim clicks on the malicious link in the email, their computer will try to access the file on the victim’s machine (192.168.19.12). Since their system can’t find the file, it will automatically send their login credentials (NTLM credentials) to the attacker’s machine.
Windows Security login prompt. It’s asking the victim to enter their username and password to access the file at the link you sent them. This happens because the victim’s computer is trying to connect to the resource on your server (192.168.19.12), and their system is asking for credentials.
What does this mean?
It means that the victim’s system recognized the link that was sent and is trying to connect. Now, if the victim enters their username and password, those credentials will be sent to the attacker’s machine, and the responder will capture them.
The system, using Responder, has successfully captured the victim’s credentials (NTLMv2 Hash). The screenshot shows that the user victim898@outlook.com entered their details, and the NTLMv2 Hash has been captured.
Wireshark
The SMB authentication response from the victim to the server includes a truncated netNTLMv2 hash, visible in the packet capture.
Step 6: Cracking this netNTLMv2 hash
cracking the hash with John the Ripper
During the password cracking process for the captured NTLMv2 hash, multiple tools were utilized to attempt recovery of the plaintext password. The process began by capturing the hash using Responder, followed by efforts to crack the hash with Hashcat and a wordlist. After several attempts with different rules and configurations, the final successful cracking was achieved using John the Ripper. The wordlist used for the cracking attempt was Rockyou, and the recovered password was Toli2027.
Step 7: Has CVE-2024–21413 Been Exploited in Real-World Attacks?
In recent years, there have been several attacks in the Middle East targeting Microsoft Outlook users to steal NTLM Hashes. One example is the TA577 group, which used phishing emails to steal these credentials. They sent emails that appeared like replies to existing conversations, but included malicious HTML files or meeting invitations. These files directed the victim’s machine to an SMB server controlled by the attacker, allowing them to steal the NTLM Hash without the user noticing.
Additionally, attackers have also used URI handlers in phishing emails to automatically connect victims to malicious servers, further exposing NTLM hashes. These attacks pose a serious threat, especially to organizations relying on Outlook for communication.
It has been discovered that a 0-day exploit for CVE-2024–21413 is currently being sold on hacker forums for $150,000, highlighting the exploit’s potential for real-world impact. This underscores the critical nature of this vulnerability and the importance of addressing it immediately to prevent unauthorized access and potential data breaches.
CVE-2024–21413 is classified as a zero-day vulnerability, indicating that malicious actors have actively exploited it in the wild before the vendor became aware of it. Attackers may have already leveraged this vulnerability to launch targeted attacks against unsuspecting users. Given the severity of the risk, users must remain vigilant and take immediate action to mitigate the threat.
Step 8: Fixes and Recommendations.
- Updating to the latest version: Installing the latest version of Moniker Link (2.5.0 or newer), which fixes the problem.
- Adding Web Application Firewall (WAF) for Extra Protection: Using a WAF can provide an additional layer of defense against attacks that use malicious links like the one in CVE-2024–21413. A WAF analyzes incoming traffic to the server and blocks any that seems dangerous or unauthorized. In the case of malicious Moniker Links, a WAF can detect and alert about attempts to send sensitive information, like NTLM credentials, before it reaches the attacker’s server.
- Implement Yara rule: the Yara rule created by Florian Roth to detect emails that contain the file element in the Moniker Link.
Using a Yara rule helps detect dangerous emails with harmful links before they cause damage, protecting your team from further attacks. The Moniker Link is sometimes used in cyberattacks to execute malicious code on a target machine.
If an email includes this kind of link, the Yara rule can alert security teams to the potential danger, helping them protect against the attack.
This shows how Yara rules can help in detecting and preventing security threats in emails and other documents.
- Employee training: Teach employees to recognize and avoid suspicious emails and links.
o Exercising caution when clicking on hyperlinks, especially in unsolicited or suspicious emails.
o Employing robust email security solutions capable of detecting and blocking malicious content.
o Educating users about cybersecurity best practices and raising awareness of the zero-day vulnerability.
Step 9: Explaining the Thought Process
- How did I collect the information?
I gathered details about the CVE-2024–21413 vulnerability by using trusted sources such as the National Vulnerability Database (NVD), Microsoft’s official documentation, and security blogs. Additionally, I reviewed discussions on GitHub to see how other security professionals analyzed and handled this vulnerability in real-world scenarios.
2. I chose to set up the vulnerable environment with a Windows virtual machine running Outlook, based on the fact that CVE-2024–21413 targets this software specifically. Understanding how Moniker Links work helped me design the test to capture NTLM credentials through a phishing email, which is a common real-world attack scenario.
- How did I analyze the data?
I analyzed how Moniker Links can be used to capture NTLM credentials stealthily. During my tests in a virtual environment, I used Nmap and Responder to identify open ports and capture credentials. This practical testing gave me a better understanding of how the vulnerability can be exploited and how attackers might use it to infiltrate systems.
2. How did I come to my conclusions?
After thoroughly researching and conducting hands-on experiments, I concluded that updating software to the latest versions is the most effective way to protect against this vulnerability. Additionally, I identified that implementing extra measures, such as a Web Application Firewall (WAF) and improving input validation, could prevent similar attacks in the future. My conclusions were based on both the research I conducted and my personal observations during the tests.
Step 10: Conclusions and Summary
Through this project, I learned how critical vulnerabilities like CVE-2024–21413 can be when attackers use malicious email links to steal sensitive information.
I also realized the importance of regularly updating software to close security gaps, as outdated systems are more vulnerable to exploitation.
Lastly, the practical experience using tools such as Nmap and Responder provided me with deeper insight into vulnerability scanning and credential capturing, which are valuable skills for both attacking and defending systems.
The combination of tools like Nmap and Responder helped me understand how vulnerable services can expose systems to credential theft. By using these tools, I was able to see how attackers might exploit CVE-2024–21413 to gain unauthorized access to sensitive data.
- How did I analyze the data?
I analyzed how Moniker Links can be used to capture NTLM credentials stealthily. During my tests in a virtual environment, I used Nmap and Responder to identify open ports and capture credentials. This practical testing gave me a better understanding of how the vulnerability can be exploited and how attackers might use it to infiltrate systems.
2. How did I come to my conclusions?
After thoroughly researching and conducting hands-on experiments, I concluded that updating software to the latest versions is the most effective way to protect against this vulnerability. Additionally, I identified that implementing extra measures, such as a Web Application Firewall (WAF) and improving input validation, could prevent similar attacks in the future. My conclusions were based on both the research I conducted and my personal observations during the tests.
Step 10: Conclusions and Summary
In this project, I learned how serious vulnerabilities like CVE-2024–21413 can be when attackers use email links to steal important information.
I also understood why it’s important to update software regularly to close security holes because older systems are easier to attack.
By testing with tools like Nmap and Responder, I saw how attackers use this vulnerability. Regular software updates and extra security steps, like using a WAF, are important to stop future attacks.
Fixing vulnerabilities like CVE-2024–21413 not only keeps systems safe but also makes overall cybersecurity stronger.
