Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-16947 PoC — Microsoft Outlook Remote Code Execution Vulnerability

Source
https://github.com/0neb1n/CVE-2020-16947
Associated Vulnerability
Title:Microsoft Outlook Remote Code Execution Vulnerability (CVE-2020-16947)
Description:<p>A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the targeted user. If the targeted user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p> <p>Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.</p> <p>The security update addresses the vulnerability by correcting how Outlook handles objects in memory.</p>
Description
PoC of CVE-2020-16947 (Microsoft Outlook RCE vulnerablility)
Readme
# CVE-2020-16947

This vulnerability occurs in Outlook 2019 (16.0.13231.20262) installed on Windows 10 1909 x64


## TLDR;

I found this bug using winafl fuzzer. This bug occured when parsing html contents. 
if attacker successfully executes this exploit, it can lead to remote command execution.

## Details

```
0:000> r
rax=0000000000000000 rbx=0000021c99ce9eb0 rcx=0000021c99ce9eb0
rdx=00000046c07f8a30 rsi=0000021cc85ac000 rdi=00000000ffffe000
rip=00007ffe69012f5b rsp=00000046c07f89f0 rbp=00000046c07f8a69
 r8=00000046c07f8a28  r9=0000000000000041 r10=00007de1cf5e3124
r11=0000000000000000 r12=00000046c07f8b00 r13=0000021c99ce9f1c
r14=0000000000000041 r15=00000000000003b5
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
OLMAPI32!HrGetMessageClassFromContentClassW+0xf80b:
00007ffe`69012f5b 448836          mov     byte ptr [rsi],r14b ds:0000021c`c85ac000=??
0:000> d rsi - 10
0000021c`c85abff0  ff fd ff fd ff fd ff fd-ff fd ff fd ff fd ff 41  ...............A
0000021c`c85ac000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000021c`c85ac010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000021c`c85ac020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000021c`c85ac030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000021c`c85ac040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000021c`c85ac050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0000021c`c85ac060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:000> !heap -p -a rsi
    address 0000021cc85ac000 found in
    _DPH_HEAP_ROOT @ 21ce0331000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             21ccb3eb000:      21cc85a7ff0             4010 -      21cc85a7000             6000
    00007ffea238825b ntdll!RtlDebugAllocateHeap+0x000000000000003b
    00007ffea22a9745 ntdll!RtlpAllocateHeap+0x00000000000000f5
    00007ffea22a73d4 ntdll!RtlpAllocateHeapInternal+0x00000000000006d4
    00007ffe68c8777d OLMAPI32!MAPIAllocateBuffer+0x00000000000000cd
    00007ffe69012a35 OLMAPI32!HrGetMessageClassFromContentClassW+0x000000000000f2e5
    00007ffe69015d34 OLMAPI32!HrTextFromCompressedRTFStreamEx+0x00000000000023d4
    00007ffe68dcc776 OLMAPI32!RTFSyncCpid+0x0000000000000156
    00007ffe7c3eb532 exsec32!HrExsec32Initialize+0x0000000000005372
    00007ffe7c3e5631 exsec32+0x0000000000005631
    00007ffe68dccc76 OLMAPI32!RTFSyncCpid+0x0000000000000656
    00007ffe68de2ab4 OLMAPI32!HrCreateMHTMLConverter+0x0000000000002634
    00007ffe68dd21a7 OLMAPI32!MlangIsConvertible+0x0000000000004a07
    00007ffe68de299d OLMAPI32!HrCreateMHTMLConverter+0x000000000000251d
    00007ffe7c42748f exsec32!DllUnregisterServer+0x00000000000002bf
    00007ffe7c3eb418 exsec32!HrExsec32Initialize+0x0000000000005258
    00007ffe7c3e5631 exsec32+0x0000000000005631
    00007ffe551703d9 OUTLMIME!MimeOleInetDateToFileTime+0x0000000000025539
    00007ffe551709f9 OUTLMIME!MimeOleInetDateToFileTime+0x0000000000025b59
    00007ffe55174dec OUTLMIME!MimeOleInetDateToFileTime+0x0000000000029f4c
    00007ffe55175279 OUTLMIME!MimeOleInetDateToFileTime+0x000000000002a3d9
    00007ffe55174ebe OUTLMIME!MimeOleInetDateToFileTime+0x000000000002a01e
    00007ffe7c41a8fc exsec32!HrMaxAlgStrength+0x0000000000004cac
    00007ffe7c3eb017 exsec32!HrExsec32Initialize+0x0000000000004e57
    00007ffe7c3ebf23 exsec32!HrExsec32Initialize+0x0000000000005d63
    00007ffe49ac9f47 mso98win32client!Ordinal3621+0x00000000000000e7
    00007ffe49ac9ecd mso98win32client!Ordinal3621+0x000000000000006d
    00007ff7afc43f79 outlook!FEnableAMapProgress+0x000000000002f099
    00007ff7afdb638d outlook!UpdateSharingAccounts+0x000000000007031d
    00007ff7afdc3d85 outlook!IsOutlookOutsideWinMain+0x0000000000003af5
    00007ff7afcf7727 outlook!HrGetDelegatorInfoSync+0x00000000000016e7
    00007ff7afd2a2b0 outlook!GetOutlookSafeModeState+0x000000000000bd00
    00007ff7afd2a14b outlook!GetOutlookSafeModeState+0x000000000000bb9b
```

When copying strings out of the ascii range among html contents, the corresponding string is replaced with 0xfffd. As a result, the size of the copied string doubles, so despite the same size of the src buffer and dst buffer, buffer overflow occurs.
File Snapshot

 [4.0K]  /data/pocs/6b126501fe6eab694e94fa02b007ba842da3bd8f
├── [8.5K]  cve-2020-16947.eml
└── [4.3K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →