Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Mitja Kolsek Profile picture
@mkolsek
Feb 19 5 tweets 2 min read Read on X
I don't see why a possibility for chaining this with an old, already patched RCE would suffice for qualifying as RCE itself. I mean, @xaitax video shows coupling with Follina (CVE-2022-30190), and couples it with CVE-2023-21716. I think there must be more than that there.github.com/labesterOct/CV…
@HaifeiLi @xaitax Besides, parsing of this "!" format must be insane: Exclamation mark is a valid character in a file name. How would you go about parsing that? My money is on this parsing being broken and exploitable.
Well, well, well. You try to see if function ole32!MkParseDisplayName was patched by February updates - but ole32.dll hasn't changed at all! So the function wasn't patched, right?
Then you put a breakpoint on this function in Outlook process and - HELLO, Microsoft! The function is hotpatched and, with a jmp instruction written over the first bytes, replaced with its alternative in mso.dll.
This is what we at @0patch have been doing (albeit more "surgically" modifying just a part of a function) for 9 years now, and it's nice to see Microsoft finally joining the party on on-prem Windows.
However, this is bad news for patch analysis. Simply diffing two consecutive EXE/DLL versions no longer gives one a reliable list of changes in said EXE/DLL. With the CVE-2024-21413 patch Outlook self-patches ole32.dll loaded in its process and replaces original function ole32!MkParseDisplayName with its own function. Diffing ole32.dll does not reveal that.
@HaifeiLi @xaitax Interestingly, this "!" trick has been used before in a CVE-2021-40444 exploit as noticed by @wdormann back in 2021

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mitja Kolsek

Mitja Kolsek Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mkolsek

Mitja Kolsek Profile picture
Mar 18, 2021
Having a @tetrane REVEN one-on-one training today - absolutely LOVING every moment as well as the potential of this product. My jaw dropped even further when I saw the integration with WinDbg. I didn't know I needed it until I saw it :)
@tetrane For those who don't know @tetrane REVEN yet: it allows you to do a recording of an entire virtual machine, and then walk forward and back through execution of any process, search who changed some memory location and when, trace the flow of data using tainting (forward and back).
So you have a crash and want to see why it happened. Oh, process tried to write to [rdx] which points to 0x41414141. Where did this value come from? Ok, it was read from address 0x2235543F2. Who wrote it there? Check the ENTIRE history of this address and find the last write.
Read 22 tweets
Mitja Kolsek Profile picture
Mar 15, 2021
Today's Microsoft cloud services outage is a perfect plot twist to the "Everyone stop using on-prem Exchange and migrate to Office 365" fairy tale.
I sense a strong presence of actual Exchange admins in retweets and likes above, the presence I sensed severely lacking in a popular Twitter thread condescendingly promoting said fairy tale :)
And the very next day, this:
Read 4 tweets
Mitja Kolsek Profile picture
Mar 5, 2021
You know what's worse than accidentally typing your password to browser address bar?

Google finds 78 hits.
I recommend regular testing of your passwords by googling them. Everything under 5 hits is ISO 27001 compliant.
Also set a Google alert so you know when to change your passwords.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(