November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Running away from the pitfall of insecure browsing
August 16, 2018Latest Favorite Platform for Zero-Day Exploits: Microsoft Office
August 21, 2018Running away from the pitfall of insecure browsing
August 16, 2018Latest Favorite Platform for Zero-Day Exploits: Microsoft Office
August 21, 2018
A remote code execution vulnerability exists in Microsoft Windows that can provide user privileges to an attacker
IMPACT: HIGH
PUBLISH DATE: 16-08-2018
OVERVIEW
Microsoft Windows is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.
A remote user can create a specially crafted file that, when clicked/opened by the target user, will trigger a file path validation flaw and execute arbitrary code on the target system. The code will run with the privileges of the target user.
BACKGROUND INFORMATION
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka “Windows Shell Remote Code Execution Vulnerability.” This affects Windows 10 Servers, Windows 10.
If current user at the time of exploit is logged in with administrative privileges, the attacker could take control of the affected system, installing programs; viewing, changing, or deleting data; or creating new accounts with elevated privileges. Therefore, users with fewer privileges are less dangerous when affected, as compared to targeting of users having administrative privileges.
An attacker could either exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open it, or they could host a website that contains a specially crafted file designed to exploit the vulnerability.
However, there’s no forceful obligations by the attacker to open the file. They have to convince a user to click a link and open the specially crafted file.
ANALYSIS
This vulnerability in the Windows shell refers to the use of SettingContent-ms files —aka Windows 10 control panel shortcuts— for malware distribution. All SettingContent-ms files are nothing more than XML documents, which contain a < DeepLink > tag that specifies the on-disk location of the Windows setting page that it will open when users double-click shortcuts.
The problem lies when DeepLink tag is used with any other executables from the local system, including links to binaries such
as cmd.exe or PowerShell.exe. [two apps that allow shell command execution]
Tricking users via phishing emails using social engineering tactics proves to be an easy task. Researchers say they hosted a SettingContent-ms shortcut on a web server, and were able to download and run it without Windows 10 or Windows Defender alerting the user at all.
Furthermore, malware authors can also embed a SettingContent-ms shortcut inside Office documents with the help of an Office feature named Object Linking and Embedding (OLE). This feature allows Office users to embed other files in Office documents. It has been one of the simplest methods of running malicious code on users’ PCs.
Microsoft has counteracted this trend by disallowing the embedding of certain dangerous file types inside OLE objects. Since SettingContent-ms is a new file type, it is not included in Office’s OLE file format blacklist and malware authors can reliably use SettingContent-ms file types Office documents to execute malicious operations on users’ systems.
AFFECTED PRODUCTS
All end-hosts or servers under analysis, running the following OS versions are affected:
- Microsoft Windows 10 Version 1803 for 32-bit Systems
- Microsoft Windows 10 Version 1803 for x64-based Systems
- Microsoft Windows 10 version 1703 for 32-bit Systems
- Microsoft Windows 10 version 1703 for x64-based Systems
- Microsoft Windows 10 version 1709 for 32-bit Systems
- Microsoft Windows 10 version 1709 for x64-based Systems
- Windows Server, version 1709 (Server Core Installation)
- Windows Server, version 1803 (Server Core Installation)
UPDATES
The security updates address the vulnerability by ensuring the Windows Shell properly validates file paths.
Apply following updates with respect to OS versions.
- Windows 10 for 32-bit Systems (KB4343892):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343892
- Windows 10 Version 1703 for 32-bit Systems (KB4343885):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343885
- Windows 10 Version 1709 for 32-bit Systems (KB4343897):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343897
- Windows 10 Version 1803 for 32-bit Systems (KB4343909):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343909
- Windows 10 Version 1709 for x64-based Systems (KB4343897):
- Windows Server, version 1709 (Server Core Installation) (KB4343897):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343897
- Windows 10 Version 1803 for x64-based Systems (KB4343909):
- Windows Server, version 1803 (Server Core Installation) (KB4343909):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343909
- Windows Server 2016 (KB4343887):
- Windows 10 Version 1607 for x64-based Systems (KB4343887):
- Windows Server 2016 (Server Core installation) (KB4343887):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343887
- Windows 10 Version 1607 for 32-bit Systems (KB4343887):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343887
- Windows 10 Version 1703 for x64-based Systems (KB4343885):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343885
- Windows 10 for x64-based Systems (KB4343892):
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343892
Furthermore, if you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.