Underlying security vulnerability is still present in popular OS, researchers warn
A drive-by remote code execution (RCE) vulnerability in Windows 10 that can be triggered simply by clicking a malicious URL could allow attackers full access to a victim’s files and data.
The security flaw, an argument injection in the Windows 10/11 default handler for ms-officecmd: URIs, is present in Windows 10 via Internet Explorer 11/Edge Legacy browsers and Microsoft Teams.
Microsoft has since released a patch, but researchers claim that the fix – applied five months after the bug report – “fails to properly address the underlying argument injection which is currently also still present on Windows 11”.
Windows internally uses ms-officecmd: URIs to start various Microsoft programs.
Researchers from Positive Security, who presented the research in a blog post, revealed how it is possible to craft an URL in such a way that, when clicked, it will execute a malicious command while also starting Microsoft Teams.
Chained together with a security issue in Internet Explorer 11/Edge Legacy, visiting a malicious website is enough to trigger the exploit.
The researchers also warned that this vulnerability is still present in the operating system.
Speaking to The Daily Swig, researcher Fabian Bräunlein said: “The attack starts with a victim either visiting a malicious website in IE11/Edge Legacy or clicking a malicious link in another browser or desktop application.
“The link is then forwarded to LocalBridge.exe, which in turn runs various Office executables with a segment of the link as argument.
“We found that it’s possible to inject additional arguments, which allowed us to achieve code execution by triggering the launch of Microsoft Teams with an additional --gpu-launcher argument that is then interpreted by Electron.”
Exploitation through other browsers requires the victim to accept an inconspicuous confirmation dialog.
Alternatively, a malicious URI could also be delivered via a desktop application performing unsafe URL handling. However, a precondition for this particular exploit is to have Microsoft Teams installed but not running.
Bräunlein said that the team found the vulnerability following research conducted earlier this year when they investigated how different popular desktop applications handle URLs with non-standard URI schemes, discovering vulnerabilities in “several of them”.
“To showcase exploitation of our findings on Windows, we mostly utilized file related schemes coupled with executables/jar files hosted on internet accessible fileshares,” he explained.
“One caveat of those payloads is that they either require Java to be installed or a dialog to run the executable to be confirmed.
“We wanted to further improve on the attack scenario based on malicious URLs by finding a code execution vulnerability in a URI handler that comes pre-installed with Windows.”
Bug bounty contest
When they reported the issue, Microsoft told the team that since this was a social engineering attack, it was not eligible for a bug bounty reward – a ruling that was contested by Positive Security.
The team argued that Microsoft “missed the issue and dismissed it entirely”
A lengthy appeal process eventually resulted in the researchers being awarded a $5,000 reward – a figure that they argued was still insufficient, since it was just 10% of the maximum reward.
More technical details are found in the blog.
Positive Security said that although its proof-of-concept no longer works, the argument injection vulnerability has not been patched.
A timeline alleges that Microsoft said it would roll out a patch “in a few days” on September 16, 2021 – however the underlying argument injection flaw itself has yet to be fixed, according to the team.
The Daily Swig has reached out to Microsoft for comment and will update this article accordingly.