Talos Vulnerability Report

TALOS-2024-1972

Microsoft Outlook for macOS library injection vulnerability

August 19, 2024
CVE Number

CVE-2024-42220

SUMMARY

A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. A specially crafted library can leverage Outlook’s access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application’s permissions.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Microsoft Outlook 16.83.3 for macOS

PRODUCT URLS

Outlook - https://www.microsoft.com/en-us/microsoft-365/outlook/

CVSSv3 SCORE

7.1 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

DETAILS

Microsoft Outlook is an email client and personal information manager from the Microsoft Office suite that facilitates email communication, calendar scheduling, contact management, task tracking, and note-taking, supporting both individual productivity and collaborative work environments.

Microsoft Outlook loads multiple libraries through relative path:

$  otool -L "/Applications/Microsoft Outlook.app/Contents/MacOS/Microsoft Outlook"
/Applications/Microsoft Outlook.app/Contents/MacOS/Microsoft Outlook:
        @rpath/OPF.framework/Resources/OPF_Common.dylib (compatibility version 1.0.0, current version 1.0.0)
        @rpath/ADAL4.framework/Versions/A/ADAL4 (compatibility version 0.0.0, current version 0.0.0)
        @rpath/CocoaUI.framework/Versions/A/CocoaUI (compatibility version 0.0.0, current version 0.0.0)
        @rpath/COMBase.framework/Versions/A/COMBase (compatibility version 0.0.0, current version 0.0.0)
        [...]
        @rpath/EditorKit.framework/Versions/A/EditorKit (compatibility version 1.0.0, current version 1.0.0)
        @rpath/EmailRendererKit.framework/Versions/A/EmailRendererKit (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/swift/libswiftAppKit.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/swift/libswiftFoundation.dylib (compatibility version 1.0.0, current version 1.0.0)

In this case the location is relative to the main executable /Applications/Microsoft Outlook.app/Contents/MacOS/Microsoft Outlook. Furthermore, Outlook has a big number of entitlements that allow the program to offer its various functionalities:

$ codesign -dv --entitlements -  "/Applications/Microsoft Outlook.app"
Executable=/Applications/Microsoft Outlook.app/Contents/MacOS/Microsoft Outlook
Identifier=com.microsoft.Outlook
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=311585 flags=0x10000(runtime) hashes=9726+7 location=embedded
Signature size=9012
Timestamp=30 Mar 2024 at 18:46:20
Info.plist entries=56
TeamIdentifier=UBF8T346G9
Runtime Version=14.2.0
Sealed Resources version=2 rules=13 files=9705
Internal requirements count=1 size=184
[Dict]
    [Key] com.apple.application-identifier
    [Value]
        [String] UBF8T346G9.com.microsoft.Outlook
    [Key] com.apple.developer.team-identifier
    [Value]
        [String] UBF8T346G9
    [Key] com.apple.developer.ubiquity-kvstore-identifier
    [Value]
        [String] UBF8T346G9.com.microsoft.Outlook
    [Key] com.apple.developer.usernotifications.communication
    [Value]
        [Bool] true
    [Key] com.apple.developer.usernotifications.time-sensitive
    [Value]
        [Bool] true
    [Key] com.apple.security.app-sandbox
    [Value]
        [Bool] true
    [Key] com.apple.security.application-groups
    [Value]
        [Array]
            [String] UBF8T346G9.Office
            [String] UBF8T346G9.ms
            [String] UBF8T346G9.com.microsoft.oneauth
            [String] UBF8T346G9.OfficeOsfWebHost
    [Key] com.apple.security.assets.movies.read-only
    [Value]
        [Bool] true
    [Key] com.apple.security.assets.music.read-only
    [Value]
        [Bool] true
    [Key] com.apple.security.assets.pictures.read-only
    [Value]
        [Bool] true
    [Key] com.apple.security.automation.apple-events
    [Value]
        [Bool] true
    [Key] com.apple.security.cs.disable-library-validation
    [Value]
        [Bool] true
    [Key] com.apple.security.device.audio-input
    [Value]
        [Bool] true
    [Key] com.apple.security.device.camera
    [Value]
        [Bool] true
    [Key] com.apple.security.files.user-selected.read-write
    [Value]
        [Bool] true
    [Key] com.apple.security.network.client
    [Value]
        [Bool] true
    [Key] com.apple.security.personal-information.addressbook
    [Value]
        [Bool] true
    [Key] com.apple.security.personal-information.location
    [Value]
        [Bool] true
    [Key] com.apple.security.print
    [Value]
        [Bool] true
    [Key] com.apple.security.smartcard
    [Value]
        [Bool] true
    [Key] com.apple.security.temporary-exception.apple-events
    [Value]
        [Array]
            [String] com.microsoft.lync
            [String] com.microsoft.skypeforbusiness
            [String] com.cisco.jabber
            [String] cisco-systems.spark
            [String] microsoft/com.microsoft.alertsdaemon
            [String] com.microsoft.autoupdate2
            [String] com.microsoft.entourage.databasedaemon
            [String] com.microsoft.outlook.database_daemon
            [String] com.microsoft.entourage.databaseutility
            [String] com.microsoft.outlook.databasedaemon
            [String] com.microsoft.outlook.databaseutility
            [String] com.microsoft.entourage
            [String] com.microsoft.outlook
            [String] com.microsoft.errorreporting
            [String] com.microsoft.excel
            [String] com.microsoft.communicator
            [String] microsoft/com.microsoft.messengerdaemon
            [String] microsoft/com.microsoft.messenger
            [String] com.microsoft.messenger
            [String] com.microsoft.entourage.officereminders
            [String] com.microsoft.outlook.officereminders
            [String] com.microsoft.setupassistant
            [String] com.microsoft.powerpoint
            [String] com.microsoft.entourage.syncservices12
            [String] com.microsoft.syncservicesagent
            [String] com.microsoft.word
            [String] com.microsoft.myday
    [Key] com.apple.security.temporary-exception.files.absolute-path.read-only
    [Value]
        [Array]
            [String] /Library/Preferences/com.microsoft.office.licensingV2.plist
            [String] /Library/Logs/Microsoft/
            [String] /Library/Application Support/Microsoft/
    [Key] com.apple.security.temporary-exception.files.home-relative-path.read-only
    [Value]
        [Array]
            [String] /Library/Application Support/Microsoft/
            [String] /Library/Caches/TemporaryItems/msoclip/
            [String] /Documents/Microsoft User Data/
            [String] /Documents/Microsoft-Benutzerdaten/
            [String] /Documents/Datos de usuario de Microsoft/
            [String] /Documents/Données utilisateurs Microsoft/
            [String] /Documents/Microsoft användardata/
            [String] /Documents/Microsoft ユーザー データ/
            [String] /Documents/Dati utente Microsoft/
            [String] /Documents/Dane użytkownika produktów firmy Microsoft/
            [String] /Documents/Данные пользователя Майкрософт/
            [String] /Documents/Microsoft 用户数据/
            [String] /Documents/Microsoft 使用者資料/
    [Key] com.apple.security.temporary-exception.mach-lookup.global-name
    [Value]
        [Array]
            [String] com.microsoft.office.licensingV2.helper.port
            [String] com.apple.GSSCred
    [Key] com.apple.security.temporary-exception.sbpl
    [Value]
        [Array]
            [String]
 (allow authorization-right-obtain (right-name "com.apple.KerberosAgent"))
    [Key] com.apple.security.temporary-exception.shared-preference.read-only
    [Value]
        [Array]
            [String] com.apple.ncprefs
            [String] com.apple.notificationcenterui
    [Key] com.apple.security.temporary-exception.shared-preference.read-write
    [Value]
        [Array]
            [String] com.microsoft.autoupdate2
            [String] com.microsoft.office
            [String] com.microsoft.shared
            [String] com.cisco.WebEx Productivity Tools
            [String] com.cisco.Cisco Webex Meetings
    [Key] keychain-access-groups
    [Value]
        [Array]
            [String] UBF8T346G9.com.microsoft.identity.universalstorage

The program is compiled using the Hardened Runtime, a security feature which aims, among other things, to prevent dynamically linked library hijacking.
However, the program includes this specific entitlement:

[Key] com.apple.security.cs.disable-library-validation
[Value]
    [Bool] true

With this entitlement enabled, the program’s defense against library hijacking is effectively nullified, as it allows the loading of unsigned dynamic libraries. This is an issue because a malicious application could leverage Outlook’s permissions without proper authorization.

Indeed, an attacker could copy the application into a controllable location and perform a library injection to use the entitlements of the application. So, an attacker could potentially record audio, get the user localization, and more.
In scenarios where the attacker leverages permissions already granted to Outlook, or when Apple Events are sent to the other Microsoft apps under the scope of the com.apple.security.temporary-exception.apple-events entitlement, the system will not display a pop-up permission prompt, executing actions straightaway.
However, in cases where the required permission hasn’t yet been granted, the Microsoft Outlook app will initiate the request. This could lead users to potentially grant the permission based on their trust in the Microsoft app.

Because of the use of the com.apple.security.cs.disable-library-validation entitlement set to true, a malicious application could perform a library injection in Microsoft Outlook without any special permission.

TIMELINE

2024-04-16 - Vendor Disclosure
2024-05-13 - Vendor reply
2024-07-29 - Feedback to vendor
2024-08-01 - Vendor reply and request for additional information
2024-08-06 - Vendor informed of CVE assignments
2024-08-14 - Vendor acknowledgement
2024-08-19 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.