Security researchers at Akamai are sharing details on multiple bypasses for patches Microsoft released for an Outlook zero-click remote code execution vulnerability earlier this year.
The original issue, tracked as CVE-2023-23397, was patched by Microsoft in March 2023 after a Russian state-sponsored threat actor had been exploiting it in the wild for roughly a year.
An unauthenticated attacker could exploit the issue by sending an email reminder containing a sound notification specified as a path, coercing the Outlook client into connecting to the attacker's server, which resulted in the Net-NTLMv2 hash being sent to the server.
No user interaction was required for exploitation, as the bug was triggered immediately when the email was received and processed by the server.
Microsoft resolved it with a call to an API function that would check the path to ensure it was not referring to an internet URL. The called function could be tricked into treating a remote path is a local one, by including a crafted URL in the email.
Discovered by Akamai and tracked as CVE-2023-29324, the bypass was fixed by Microsoft in May. The CVE-2023-29324 flaw is only one of the bypasses that Akamai identified while researching the Outlook zero-click vulnerability.
The second one, tracked as CVE-2023-35384 and addressed by Microsoft with the August 2023 patches, is a path type confusion that can be exploited via crafted URLs, but which does require user interaction.
In October, the tech giant patched another vulnerability related to this Outlook attack vector, this time one rooted in the parsing of sound files on Windows.
Tracked as CVE-2023-36710, the issue is an integer overflow bug in Audio Compression Manager, the code that handles cases where the codec in a WAV file needs to be decoded by a custom decoder.
The codecs are handled by drivers similar in function to kernel-mode drivers, but which are registered through the ACM. The security defect was identified in the mapWavePrepareHeader function in the ACM manager, Akamai notes in a technical write up.
Because the function performs no check of overflows when adding bytes to the destination buffer's size, an attacker can trigger the allocation of a very small buffer, causing two out-of-bounds writes.
According to Akamai, an attacker could successfully exploit this vulnerability in the context of the Outlook client or another instant messaging application to achieve remote code execution without user interaction.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 19 Dec 2023 21:13:04 +0000