Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 25, 2023
Severity High Analysis Summary The STOP/DJVU ransomware initially made headlines in 2018 and has since been attacking individuals all around the world. It’s widespread on torrent […]May 24, 2023
Severity Medium Analysis Summary CVE-2023-30440 IBM PowerVM Hypervisor could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to […]May 24, 2023
Severity High Analysis Summary CVE-2023-33246 Apache RocketMQ could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw when using the […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 25, 2023
Severity High Analysis Summary The STOP/DJVU ransomware initially made headlines in 2018 and has since been attacking individuals all around the world. It’s widespread on torrent […]May 24, 2023
Severity Medium Analysis Summary CVE-2023-30440 IBM PowerVM Hypervisor could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to […]May 24, 2023
Severity High Analysis Summary CVE-2023-33246 Apache RocketMQ could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw when using the […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Running away from the pitfall of insecure browsing
August 16, 2018
Latest Favorite Platform for Zero-Day Exploits: Microsoft Office
August 21, 2018
A remote code execution vulnerability exists in Microsoft Windows that can provide user privileges to an attacker
IMPACT: HIGH
PUBLISH DATE: 16-08-2018
OVERVIEW
Microsoft Windows is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.
A remote user can create a specially crafted file that, when clicked/opened by the target user, will trigger a file path validation flaw and execute arbitrary code on the target system. The code will run with the privileges of the target user.
BACKGROUND INFORMATION
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka “Windows Shell Remote Code Execution Vulnerability.” This affects Windows 10 Servers, Windows 10.
If current user at the time of exploit is logged in with administrative privileges, the attacker could take control of the affected system, installing programs; viewing, changing, or deleting data; or creating new accounts with elevated privileges. Therefore, users with fewer privileges are less dangerous when affected, as compared to targeting of users having administrative privileges.
An attacker could either exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open it, or they could host a website that contains a specially crafted file designed to exploit the vulnerability.
However, there’s no forceful obligations by the attacker to open the file. They have to convince a user to click a link and open the specially crafted file.
ANALYSIS
This vulnerability in the Windows shell refers to the use of SettingContent-ms files —aka Windows 10 control panel shortcuts— for malware distribution. All SettingContent-ms files are nothing more than XML documents, which contain a < DeepLink > tag that specifies the on-disk location of the Windows setting page that it will open when users double-click shortcuts.
The problem lies when DeepLink tag is used with any other executables from the local system, including links to binaries such
as cmd.exe or PowerShell.exe. [two apps that allow shell command execution]
Tricking users via phishing emails using social engineering tactics proves to be an easy task. Researchers say they hosted a SettingContent-ms shortcut on a web server, and were able to download and run it without Windows 10 or Windows Defender alerting the user at all.
Furthermore, malware authors can also embed a SettingContent-ms shortcut inside Office documents with the help of an Office feature named Object Linking and Embedding (OLE). This feature allows Office users to embed other files in Office documents. It has been one of the simplest methods of running malicious code on users’ PCs.
Microsoft has counteracted this trend by disallowing the embedding of certain dangerous file types inside OLE objects. Since SettingContent-ms is a new file type, it is not included in Office’s OLE file format blacklist and malware authors can reliably use SettingContent-ms file types Office documents to execute malicious operations on users’ systems.
AFFECTED PRODUCTS
All end-hosts or servers under analysis, running the following OS versions are affected:
- Microsoft Windows 10 Version 1803 for 32-bit Systems
- Microsoft Windows 10 Version 1803 for x64-based Systems
- Microsoft Windows 10 version 1703 for 32-bit Systems
- Microsoft Windows 10 version 1703 for x64-based Systems
- Microsoft Windows 10 version 1709 for 32-bit Systems
- Microsoft Windows 10 version 1709 for x64-based Systems
- Windows Server, version 1709 (Server Core Installation)
- Windows Server, version 1803 (Server Core Installation)
UPDATES
The security updates address the vulnerability by ensuring the Windows Shell properly validates file paths.
Apply following updates with respect to OS versions.
- Windows 10 for 32-bit Systems (KB4343892):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343892
- Windows 10 Version 1703 for 32-bit Systems (KB4343885):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343885
- Windows 10 Version 1709 for 32-bit Systems (KB4343897):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343897
- Windows 10 Version 1803 for 32-bit Systems (KB4343909):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343909
- Windows 10 Version 1709 for x64-based Systems (KB4343897):
- Windows Server, version 1709 (Server Core Installation) (KB4343897):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343897
- Windows 10 Version 1803 for x64-based Systems (KB4343909):
- Windows Server, version 1803 (Server Core Installation) (KB4343909):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343909
- Windows Server 2016 (KB4343887):
- Windows 10 Version 1607 for x64-based Systems (KB4343887):
- Windows Server 2016 (Server Core installation) (KB4343887):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343887
- Windows 10 Version 1607 for 32-bit Systems (KB4343887):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343887
- Windows 10 Version 1703 for x64-based Systems (KB4343885):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343885
- Windows 10 for x64-based Systems (KB4343892):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343892
Furthermore, if you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.