Hello Folks,
In this introductory blog, we will cover the answers for the “Moniker Link (CVE-2024-21413)” room which is a part of the “Cyber Security 101” learning path. This room covers a critical Remote Code Execution (RCE) and credential leak vulnerability in Microsoft Outlook. This vulnerability allows attackers to exploit malicious Moniker Links in emails, leaking NTLM credentials from affected Office versions.
You can access the room by clicking here.
Task 1 Introduction
This task will let you know the learning objectives and prerequisites for understanding the CVE-2024-21413 vulnerability
Q 1.1- What “Severity” rating has the CVE been assigned?
A 1.1- Critical
Task 2 Moniker Link (CVE-2024-21413)
In this task, we will understand the overview of CVE-2024-21413 in which attackers exploited Moniker links by modifying them with special characters to bypass Outlook’s Protected View security feature.
Q 2.1- What Moniker Link type do we use in the hyperlink?
A 2.1- file://
Q 2.2- What is the special character used to bypass Outlook’s “Protected View”?
A 2.2- !
Task 3 Exploitation
Here, we will dive deep into the exploitation part of this vulnerability where an intruder can craft an email containing the Moniker Link designed to bypass the outlook’s security feature and capture the netNTLMv2 hash of the user who clicks on it. Adversaries in this scenario can use Responder for capturing the hashes.
Q 3.1- What is the name of the application that we use on the AttackBox to capture the user’s hash?
A 3.1- Responder
Q 3.2- What type of hash is captured once the hyperlink in the email has been clicked?
A 3.2- netNTLMV2
Task 4 Detection
Now to detect this vulnerability a YARA rule was created which identifies the “file:\” element in Moniker Links. Also, capturing packets via sniffing can reveal SMB requests from victims containing truncated netNTLMv2 hashes.
Click me to proceed onto the next task!
No answer needed
Task 5 Remediation
This section discusses the mitigation steps immediately taken by Microsoft in February’s “Patch Tuesday” and users were also advised to avoid clicking on unsolicited links before previewing it.
Click me to proceed onto the next task.
No answer needed
Task 6 Conclusion
Mischief managed.
No answer needed
You can check out our other blogs here.
Happy Pentesting!!!
Team CyberiumX