Full Report
Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This has resulted in security being pushed forward and Microsoft responding with patches for the two vectors used in Ruler, namely rules and forms. These were patched with KB3191938 and KB4011091 respectively. This puts us back into the cat and mouse game of attack versus defence, with attack needing to find a new vector. Turns out the rules of three holds true, and where two vulnerabilities lurk, a third surely exists.
Analysis Summary
# Vulnerability: Outlook Home Page Remote Code Execution via Custom Views
## CVE Details
- CVE ID: **CVE-2017-11774** (Inferred from the referenced patch KB4011162, which historically addresses this vulnerability)
- CVSS Score: *Not explicitly provided in the text, but the impact suggests **High** severity.*
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection')) is likely, given the ability to execute arbitrary VBScript/JScript via ActiveX on a trusted application context.
## Affected Systems
- Products: **Microsoft Outlook** (Vulnerable component: Outlook Home Page feature)
- Versions: Specific versions are not listed, but the context implies versions affected prior to the application of the linked KBs.
- Configurations: Any Outlook configuration where the "Home Page" feature for a folder is configured to point to a remote HTTP/HTTPS URL.
## Vulnerability Description
The vulnerability resides in the legacy **Outlook Home Page** feature, which allows administrators or users to set a custom URL to be displayed as the default view for any folder within Outlook. When this custom URL is loaded, the content is rendered using `ieframe.dll`, importing Internet Explorer security zones. Crucially, the feature allows the page to interact with Outlook-specific ActiveX controls (like `OutlookViewCtl`).
By embedding VBScript/JScript in the custom HTML page, an attacker can bypass initial IE sandbox restrictions by directly referencing the embedded Outlook ActiveX control object (`ViewCtl1`). This control allows the attacker to obtain a reference to the main Outlook Application object (`ViewCtl1.OutlookApplication`). From there, the attacker can utilize the Application object's `CreateObject` method to instantiate dangerous automation objects like `Wscript.Shell`, achieving **Remote Code Execution (RCE)** within the context of the logged-in user upon viewing the compromised folder.
## Exploitation
- Status: **Exploited in the wild** (as it is a vector used in the Ruler tool and the basis for a new attack described).
- Complexity: **Low** (Once the methodology is known, the exploit relies on known methods of interacting with Outlook objects after initial access to credentials).
- Attack Vector: **Adjacent** (Requires compromised mailbox credentials to set the malicious Home Page configuration/folder structure).
## Impact
- Confidentiality: **High** (Execution within the user's session allows access to all underlying data and system context).
- Integrity: **High** (Arbitrary code execution allows for modification of local files and system state).
- Availability: **Medium/High** (Code execution can lead to system instability or denial of service, depending on the payload).
## Remediation
### Patches
The vendor response addressed the two previously known vectors (Rules and Forms) via KB3191938 and KB4011091. The specific patch resolving the Home Page vector (CVE-2017-11774) is:
- **KB4011162** (This patch completely removed the 'home page' feature from Outlook).
### Workarounds
1. **Mitigation (Alternative to applying KB4011162):** Ensure the malicious Home Page is not set, or if it is, delete the folder associated with the malicious page configuration.
2. **Defense in Depth:** Deploy Multi-Factor Authentication (MFA)/Two-Factor Authentication (2FA) for all user accounts and enforce strong password policies.
## Detection
- **Indicators of Compromise (IOCs):**
- Creation or modification of custom "Home Page" settings pointing to external HTTP/S URLs for Outlook folders.
- Execution of commands like `_Wscript.Shell` or creation of automation objects following Outlook folder navigation.
- **Detection Methods and Tools:**
- Use **NotRuler** with the configured mailbox list to check for the presence of this homepage persistence method: `./notruler --mailboxes organisationList.txt --username exchadm homepage`
- Monitoring for anomalous process creation originating from an Outlook context or processes interacting with Outlook automation interfaces.
## References
- Vendor Advisories: Advisory related to KB4011162 (referenced implicitly)
- Relevant links:
- Article discussing previous Ruler vectors: hxxps://support.microsoft.com/en-us/help/3191938/descriptionofthesecurityupdateforoutlook2013june13-2017
- Article discussing disabling custom forms: hxxps://support.office.com/en-us/article/Custom-form-script-is-now-disabled-by-default-bd8ea308-733f-4728-bfcc-d7cce0120e94
- Tool repository (Ruler): hxxps://github.com/sensepost/ruler
- Detection tool (NotRuler): hxxps://github.com/sensepost/notruler