CVE-2024-43604

Name

Cross-account files exfiltration via calendar event

CVSS score

5.7 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Product name

Microsoft Outlook for Android

Confirmed exploitable versions

4.2432.0

Researcher

Mateusz Tyl

Description

Calendar functionality inside Outlook allows, among other things, to add attachments to an event. When adding attachment to a new mail, switching across account is disabled. However, opposite is true for event attachments. As a result, file from any account can be added and later it can be accessed from the context of any user. Files can be supplanted via switch from private to company mail or exfiltrated if doing otherwise.

Proof-of-concept

Vulnerability exists in event creation menu, any file available in OneDrive account can be added to event. After attaching files from both accounts, it can be assigned to either one of them. While cross-company data transfer is possible by this vulnerability, focus on scenario below is on bypass of policy restricting communication with personal storage.

Configure company email on mobile device.
Add personal account as second one.
Upload malicious file to OneDrive, for instance PowerShDll tool for Windows policy bypass.

Image 1: Contents of personal OneDrive

Create new event in Outlook, do not change any parameters of the meeting.

Image 2: Calendar panel before event creation

At the top of the screen there is expanded list where calendars of different account can be switched, add malicious file from the personal one and then switch to company and add confidential file.

Image 3: Attaching personal malicious file

Observe how policy is enforced for each account calendar – for personal one cloud and device storage is accessible and only company cloud access is enabled in other one. Cross-company access is disallowed from upload perspective.

Image 4: Attaching company confidential file

Event with both files can now be added to both accounts which can lead to realization of either scenario:

Exfiltration of company data to personal calendar
Upload of malicious data to company calendar

Image 5: Account switch in the creation menu

If event is already added or Name and Description parameters are already defined, then switch is no longer possible.

Image 6: Disabled account switch in the creation menu

If one wants to transfer files from event to OneDrive in company context, add any account to event, for example other one used for switch.

Image 7: Options of created event

Mail will be sent to the attendee other than owner of the event with chosen files as attachments.

Image 8: Automatic email

Attachments then may be downloaded on authorized device or uploaded to OneDrive.

Image 9: Saving the attachment

File can be previewed by any application in personal context, which simplifies the process. In this case, for instance Termux can be used to save any file.

Image 10: Menu for file opening

Timeline

16-09-2024 - Vulnerability reported to vendor
08-10-2024 - Security advisory is published by the vendor
16-06-2025 - PoC published

References

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43604
https://www.cve.org/CVERecord?id=CVE-2024-43604