You can break the chain

Microsoft’s Attack Surface Analyzer (ASA) can be turned against the systems it is meant to protect using a sophisticated three-part attack, security researcher Parsia Hakimian has demonstrated.

Hakimian chained together three bugs to achieve remote code execution (RCE) on a system running ASA, a Windows system snapshot tool.

The proof-of-concept exploit he put together is somewhat ironic because Attack Surface Analyzer is designed to scan an OS to analyze changes an installed application has made (i.e. potential problems) rather than becoming a conduit for the attack itself.

Stage one of the attack depends on ASA’s use of Electron.NET, a tool for packaging web apps as desktop applications.

ASA is built on top of Electron.NET but a bug in the implementation means an attacker can use a targeted victim’s web browser to access ASA, the underlying application.

Obtaining ignition is an important pre-condition for exploiting a cross-site scripting (XSS) vulnerability (stage two).

“A remote attacker can submit a runID with embedded JavaScript that is executed by the victim using the ASA Electron application,” Hakimian explains.

Stage three – and blast off – involves leveraging the XSS flaw to achieve RCE via NodeIntegration.

Hakimian reported the issue to Microsoft late last month. Redmond confirmed the problem and developed a fix, released earlier this month.

A full write-up of the three-stage attack can be found in a blog post by Hakimian.

RELATED Microsoft offers protection to Chrome and Firefox users via browser extension