Security researchers at Akamai are sharing details on multiple bypasses for patches Microsoft released for an Outlook zero-click remote code execution vulnerability earlier this year.
An unauthenticated attacker could exploit the issue by sending an email reminder containing a sound notification specified as a path, coercing the Outlook client into connecting to the attacker’s server, which resulted in the Net-NTLMv2 hash being sent to the server.
No user interaction was required for exploitation, as the bug was triggered immediately when the email was received and processed by the server. Microsoft resolved it with a call to an API function that would check the path to ensure it was not referring to an internet URL.
The called function, however, could be tricked into treating a remote path is a local one, by including a crafted URL in the email. Discovered by Akamai and tracked as CVE-2023-29324, the bypass was fixed by Microsoft in May.
The CVE-2023-29324 flaw, however, is only one of the bypasses that Akamai identified while researching the Outlook zero-click vulnerability.
The second one, tracked as CVE-2023-35384 and addressed by Microsoft with the August 2023 patches, is a path type confusion that can be exploited via crafted URLs, but which does require user interaction.
“An attacker can craft a malicious file or send a malicious URL that would evade Security Zone tagging, resulting in a limited loss of integrity and availability of security features utilized by browsers and some custom applications,” Microsoft said in its advisory.
In October, the tech giant patched another vulnerability related to this Outlook attack vector, this time one rooted in the parsing of sound files on Windows.
Tracked as CVE-2023-36710, the issue is an integer overflow bug in Audio Compression Manager (ACM), the code that handles cases where the codec in a WAV file needs to be decoded by a custom decoder. The codecs are handled by drivers similar in function to kernel-mode drivers, but which are registered through the ACM.
The security defect was identified in the mapWavePrepareHeader function in the ACM manager, Akamai notes in a technical write up.
Because the function performs no check of overflows when adding bytes to the destination buffer’s size, an attacker can trigger the allocation of a very small buffer, causing two out-of-bounds writes.
“We managed to trigger the vulnerability using the IMA ADP codec. The file size is approximately 1.8 GB. By performing the math limit operation on the calculation we can conclude that the smallest possible file size with IMA ADP codec is 1 GB,” according to Akamai’s documentation.
According to Akamai, an attacker could successfully exploit this vulnerability in the context of the Outlook client or another instant messaging application to achieve remote code execution without user interaction.
“As of now, the attack surface in Outlook that we researched still exists, and new vulnerabilities can be found and exploited. Although Microsoft patched Exchange to drop mails containing the PidLidReminderFileParameter property, we can not rule out the possibility of bypassing this mitigation,” Akamai concludes.