When dust started to build up on the oddly named Follina vulnerability…
… Another zero-day Windows security hole appeared.
kind of.
We’re not convinced this is as dramatic or dangerous as some of the headlines suggest (that’s why we’ve carefully added the word “sort of” above), but it’s not surprising what researchers are currently looking for. A new way to abuse many proprietary URL types on Windows.
URL Scheme Review
to sum up.
that much Polina The bug now better known as CVE-2022-30190 depends on a strange non-standard URL supported by the Windows operating system.
In a nutshell, most URLs are structured and tell you or the software you’re using, where to go, how to get there, and what to ask when you arrive.
For example, URL…
https://example.com/ask/forthis.item
… say, “Using the scheme https: example.com Then request the file. /ask/forthis.item.”
Similarly, the URL is…
file:///Users/duck/thisone.txt
… say, “On your local computer thisone.txt in the directory /Users/duck“.
And the URL is…
ldap://192.169.1.79:8888/Runthis
… say, “Perform LDAP lookup to server over TCP port 8888 192.168.1.79Search for an object named . Runthis.
However, Windows includes a long list of proprietary URL schemes (characters up to the first colon character), also known as: protocol handlerIt can be used to trigger various non-standard activities by simply referencing a special URL.
For example, the Follina bug abused the URL scheme. ms-msdt:It is related to system diagnostics.
this ms-msdt: A plan that may seem reckless now, but thought reasonable at the time of implementation, says: “Run the Microsoft Support Diagnostic Tool”A program called MSDT.EXE to guide you through a series of basic steps when troubleshooting a malfunctioning app.
However, many cybercriminals have found that you can abuse them. ms-msdt: Protocol handlers via URLs embedded inside emails or documents that you open in Outlook or Office.
with the thief ms-msdt: URL, an attacker could automatically run the MSDT.EXE app on your computer, as well as provide malicious PowerShell script code to convince the user to run malware of your choice.
Instead of helping you troubleshoot your computer, crooks use MSDT to infect your computer.
Unheard URLs
it turns out ms-msdt: This isn’t the only weird Windows-only URL scheme Microsoft dreams of.
There are numerous standard and non-standard “helper” URL schemes linked to protocol handlers through entries in the Windows registry.
These registry keys indicate that a special action should be triggered when someone tries to access the relevant URL.
For example, as experience shows https: The URL usually launches the browser if it is not already running.
and as described above ms-msdt: The URL runs MSDT.EXE, but few will know before the start of the week. (We didn’t. We had never seen or used that type of URL before the Follina story.)
Well known as a cybersecurity researcher @Hacker Fantastic I found a Windows URL scheme called search-ms: like ms-msdt:It can be misused for cybercriminal betrayal.
I’m not sure this is in the realm of “zero-day exploits” since, as already said, it doesn’t directly lead to unexpected remote code execution…
…but we acknowledge that that’s a close thing and may block this special URL from working in the future.
“Search URL” trick
Simply put, search-ms: Just like directly clicking the magnifying glass on the taskbar, typing the desired text and waiting for the result, the URL will automatically pop up to perform a Windows search.
And by embedding this type of URL in a document such as a DOC or RTF file, you can entice an attacker to open the document, much the same way the Follina trick was turned off, and then automatically display the official popup. A list of related search results:
Microsoft Office 2019 / Windows 10 / search-ms: Exploiting URI handlers for SYSTEM and steps after exploitation. pic.twitter.com/r512uF3vQ4
—hackerfantastic.crypto (@hackerfantastic) June 1, 2022
An attacker who injects a special URL into a booby-trapped document will pre-select what is displayed in the search bar title and which file to display.
The file you see doesn’t have to be a locally stored file, like this: C:Usersduckmypreso.pptHowever, it can be a remote file (UNC path) like this: \live.sysinternals.compsshutdown.exe or \example.orgdodgy.exe.
Of course, we only see this as a “kind of” zero-day since it doesn’t automatically run the offending file.
As you can see in the Twitter video above, you still have to select one of the files and double-click to launch it and react to the security warning.
Nonetheless, this trick is far more deceptively dangerous than old-school email baits with suspicious web links.
Pop-up windows are not browsers or email clients.
Instead, it’s like what you’d see if you did a regular search on your local computer, and it didn’t contain anything that looked like traditional web links.
What to do?
- Do not open a file without re-verifying the file name. Do not assume that the files displayed in the Windows Search dialog are local trusted files. This is especially true if the search was not intentionally initiated by you. If in doubt, take it out!
- Turn on the Windows option to show file extensions. Annoyingly, Windows suppresses file extensions by default, so files like
risky.exeappears only asrisky. This means that the file names have been intentionally changed to:readme.txt.exeIt is misclassified as apparently naive.readme.txt. open File Explorer and go see > file name extension. - Remember that remote file names are not as clear-cut as web links. In Windows, you can access files by drive letter or UNC path. A UNC path often refers to a server name on its own network.
\MAINSRVHowever, you can refer to a remote server on the Internet equally well, like this:\files.example.comor\198.51.100.42. Double-clicking on a remote file specified as a UNC path will not only download the file in the background from the specified server, but also run it automatically when it arrives. - Consider deleting registry entries
HKEY_CLASSES_ROOTsearch-ms. This is a mitigation similar to the one used for the Follina bug.ms-msdtenter instead. This breaks the magic link between clicks.search-ms:Activation of URL and search bar. After deleting the registry entry,search-ms:The URL doesn’t have any special meaning, so it doesn’t trigger anything. - Watch this space. I wouldn’t be surprised if other proprietary Windows URLs become cybersecurity news in the next few days or weeks, be used in services by cybercriminals for cunning or even direct destructive purposes, or exposed by researchers simply trying to push the limits of the system. no see. As it is.
.