CVE CyberSecurity Database News

CVE-2024-30104 - How Microsoft Office Remote Code Execution Works (With Exploit Example)

Poster -

In June 2024, Microsoft patched a serious security hole, marked as CVE-2024-30104. This bug allows attackers to run their own code on your computer just by getting you to open a specially crafted Word or Excel file. Below, we break down what this vulnerability does, how it can be abused, and what you can do if you think you’re at risk. If you’re a security researcher or sysadmin, you’ll also find example exploit code and practical details.

What is CVE-2024-30104?

CVE-2024-30104 is a Remote Code Execution (RCE) vulnerability in several Microsoft Office products, including Word and Excel. Remote code execution means an attacker can make your computer run commands of their choice, if you open a malicious file.

Microsoft’s advisory: June 2024 Security Update Guide

How Does the Attack Work?

An attacker creates a specially crafted Office file (like docx or xlsx), embeds malicious data that takes advantage of the flaw, and sends it to a victim — often through email or a download link. If the victim opens the file with a vulnerable Office version, the malicious code runs on their system with the same privileges as the user.

According to Microsoft, an attacker could exploit this with a low level of skill and without user interaction, after opening the document.

A Technical Look: The Vulnerability

The core issue lies in how Office handles certain OLE objects embedded inside Office files. The vulnerability is triggered when Office fails to validate object data, allowing the attacker to create a memory corruption scenario.

When opened, the file triggers execution of the code.

Let’s look at a basic example, simplified for illustration.

Example Exploit Code (Python - Proof of Concept)

Below is a Python script using msoffcrypto-tool and oletools to manipulate a DOCX file by injecting a malicious macro. (Note: For real attacks, more obfuscation and payload construction would be involved. This is for research/education only.)

import olefile
from oletools.olevba3 import VBA_Parser, VBA_Scanner

# Create a basic malicious macro
malicious_macro = '''
Sub AutoOpen()
    Dim objShell As Object
    Set objShell = CreateObject("WScript.Shell")
    objShell.Run "calc.exe", 
End Sub
'''

# Here you would use a library to modify an existing Word DOCM (macro-enabled document)
# and inject the above macro into it. For example:
from docx import Document

# Save the macro to a vbaProject.bin (in real scenarios, done via OleTools or manual method)
with open("evil_macro.vba", "w") as f:
    f.write(malicious_macro)
    
# This snippet does NOT produce a working, fully weaponized file,
# but illustrates the concept—malicious macros are embedded into a Word file,
# which Office then executes if the user allows macros (which attackers often trick with social engineering).

Real-life attacks for this CVE may not use macros directly but rather exploit lower-level OLE parsing directly and chain with other vulnerabilities. But, the idea is the same: attacker’s code runs when the victim opens the file.

You can find scripts and proof of concepts on specialist security sites. For educational purposes, read:

- Microsoft’s official guidance and patch info
- Exploit Database (search for CVE-2024-30104 for PoCs as they emerge)
- Rapid7 Analysis - includes general risk assessment

How to Stay Safe

Patch now! Microsoft has released updates for all supported Office versions. Find the patch for your version on their site or use Windows Update.

Final Words

CVE-2024-30104 is one of the nastiest Office bugs of 2024. It shows how even just opening a Word file can be risky if you haven’t patched your software. Sysadmins and home users alike should pay attention, deploy patches, and be cautious of Office attachments.

References:
- Microsoft official: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30104
- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30104
- Exploit DB: https://www.exploit-db.com/search?cve=CVE-2024-30104

Timeline

Published on: 06/11/2024 17:16:00 UTC
Last modified on: 07/19/2024 21:13:40 UTC