October 3, 2023
What is Remote Code Execution Attack & How to Prevent this Type of  Cyberattack - Driz Group

A drive-by remote code execution (RCE) vulnerability in Windows 10 that can be triggered simply by clicking a malicious URL could allow attackers full access to a victim’s files and data.

Advertisements

The security flaw, an argument injection in the Windows 10/11 default handler for ms-officecmd: URIs, is present in Windows 10 via Internet Explorer 11/Edge Legacy browsers and Microsoft Teams.

Microsoft has since released a patch, but researchers claim that the fix – applied five months after the bug report “fails to properly address the underlying argument injection which is currently also still present on Windows 11”.

Windows internally uses ms-officecmd: URIs to start various Microsoft programs. Researchers revealed how it is possible to craft an URL in such a way that, when clicked, it will execute a malicious command while also starting Microsoft Teams.

Advertisements

Chained together with a security issue in Internet Explorer 11/Edge Legacy, visiting a malicious website is enough to trigger the exploit. The researchers also warned that this vulnerability is still present in the operating system.

The attack starts with a victim either visiting a malicious website in IE11/Edge Legacy or clicking a malicious link in another browser or desktop application. The link is then forwarded to LocalBridge.exe, which in turn runs various Office executables with a segment of the link as argument.

Possibility to inject additional arguments exists, which allowed us to achieve code execution by triggering the launch of Microsoft Teams with an additional –gpu-launcher argument that is then interpreted by Electron.

Exploitation through other browsers requires the victim to accept an inconspicuous confirmation dialog. Alternatively, a malicious URI could also be delivered via a desktop application performing unsafe URL handling. However, a precondition for this exploit is to have Microsoft Teams installed but not running.

Advertisements

When the issue was reported, Microsoft told the team that since this was a social engineering attack, it was not eligible for a bug bounty reward. A lengthy appeal process eventually resulted in the researchers being awarded a $5,000 reward – a figure that they argued was still insufficient, since it was just 10% of the maximum reward.

Although the proof-of-concept no longer works, the argument injection vulnerability has not been patched.

Leave a Reply

%d bloggers like this: