Windows 10 RCE: via insecure default URI handler

Two researchers found an issue in Windows 10 that allows for a drive-by code execution vulnerability on Windows 10 via IE11/Edge Legacy and MS Teams, activated by an argument injection in the Windows 10/11 default handler for ms-officecmd: URIs. In their report published on researchers` blog they provide a full cover of their findings and additionally added original MSRC report. Lukas Euler and Fabian Bräunlein made the initial disclosure about an issue via on 10th of March this year but MS rejected it explaining “[..] your report appears to rely on social engineering [..]”.

Two researchers found an exploit in Windows 10

They retorted in the blog that the rejection was errouneuses due to the lack of technical understanding during triage. And after their appeal MS reopened the issue and assigned it the “Critical, RCE” classification. However no CV has been assigned or advisory published. In the following statement MS said:

“Unfortunately in this case there was no CVE or advisory tied to the report. Most of our CVEs are created to explain to users why certain patches are sent through Windows Update and why they should be installed. Changes to websites, downloads through Defender, or through the Store normally do not get a CVE attached in the same way”.

Generally speaking the vulnerability is in a default URI handler of Windows 10 and can be exploited from various applications. That’s when a Windows 10 user either clicks on a malicious “ms-officecmd:”-link in any application, arbitrary commands can be executed on the victim’s computer or visits a malicious website with Edge. Exploitation through other browsers made necessary to the victims to accept an unnoticeable confirmation dialog. On the other hand, a malicious URI could be send via a desktop application running dangerous URL handling. In their post researchers point out that besides the direct RCE via –gpu-launcher, several other attack scenarios are possible:

  • Injecting application-specific arguments, e.g. the /l switch in Word to load an Add-In from a UNC path. (while the researchers tested that UNC paths are received, they didn`t assesed the effect of loading malicious Office Add-Ins);
  • Injecting a –host-rules parameter for a full Electron MitM (repossessing of Auth tokens and Teams messages);
  • Injecting a –inspect= parameter to create a local node debugging server with an Electron app. An attacker in the local network can then join the port and employ native code (also tested by researchers with Skype as the target).
  • The research showed many ways how attackers can exploit Windows 10 RCE

    Also apart from the argument injection they found the next two attacks to be possible:

  • Running Outlook with a URL of the format C:/…/some.exe/ (additional slash to pass through the AppBridge.dll validation) makes Outlook parse the link as a local file link and redirect to/open/execute the file. That’s what makes it to be incorporated with Chrome’s auto-download behaviour to obtain arbitrary code execution after a security warning is issued;
  • Running Outlook with a web URL as a parameter opens this web page inside Outlook, which creates potentiality for phishing attacks.
  • Although according to the MS Bounty program the findings could be qualified for the award of $50k instead they received only $5k. The company came up with a patch after 5 months but according to researchers` own words “failed to properly address the underlying argument injection”. The researchers say the exploit is also stil present on Windows 11 and considering how many URI handlers Windows has it may be possible that they are vulnerable too.

    Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Leave a Reply

    Back to top button