So I just reported a very interesting bug in Outlook - took me a while to analyze and understand (part of) the root cause.. The bug allows to read the value of an MAPI property* and use it *directly* as a memory pointer. We know OOB (e.g. caused by integer overflow) bugs are not rare but they're all some sort of "offsets", not someone just read the value and directly use it as a pointer.. So basically you can set the DWORD 0xdddddddd in the email and Outlook would happily access memory at 0xdddddddd. Not sure what severity it could be as it's an OOB-read at first glance, but def. an interesting find for me.:) Full details will be released after MSRC's review. * https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/mapi-property-overview #VulnerabilityResearch #Outlook #EmailSecurity
See Tweet