Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Our computers are filled with many URIs (universal resource identifiers). Our computers have packages with built in functionality to know how to handle these links. Common URIs are http and file. However, many applications create their own in order to allow for extra functionality inside of the application. The authors of this article went after the common URI handlers on Windows 10 to see if they could find any vulnerabilities.

The vulnerabilities in URI handlers commonly lead to code execution. While enumerating through registry keys on the system they came across the URI ms-officecmd. Since Office is crazy complex, this was a legacy protocol and would be installed everywhere, they started looking around this URI handling. The URI accepted valid JSON, with a simply payload being ms-officecmd:{}.

At this point, they had to start reverse engineering the application. Luckily for them, it was written in C#, which is easily decompiled with variable names and everything else still intact. After reverse engineering a few applications (including another URI called ms-officeapp:), they were able to get a valid payload to work. The

The JSON had the following format:

• appId: The office application to be opened. This included Access (1), Excel (2) and many other Microsoft products.
• Filename: This contained a file path or a URL to a file to be opened in the application that was chosen above.
• Name: The name of the application to open.
• Command: The local location to execute for the application.

The first bug was that an arbitrary URL could be added for Outlook. When a user opened the application, it would take them to Outlook with an open Webview with the web page. This is a great way to do a phishing campaign!

Besides the phishing attack, files could be specified. Even though the file:// was blocked, using C:// bypassed this validation to access a local file. Additionally, by adding a trailing / the file extension check is bypassed but is ignored once the executable is open. In the POC on the page, they should PUTTY being opened directly. If we can trick the user into downloading something, we could even run our own executable here!

In order to open up another application, the AppBridge.dll library handles the URI. To do this, they need to include some of the user input into a cmd argument directly. By adding a double quote (") into the filename parameter, they found this could be used to escape this parameter. As a result, argument injection was now possible for whatever application they were trying to load.

Argument injection on a simple application with one or two flags is not likely to be a problem. However, with the complexity of Word, Outlook and other things, this was a disaster waiting to happen. They believe it would be possible to use an add-on to Word or Excel, but never got this working.

In Microsoft teams, which is built on Electron, they figured out how to launch a man in the middle attack via the CLI parameters. By adding in the flag --ignore-certificate-errors and an IP host rewrite rule, this could be done. Because of previous CVEs in Electron, Electron decided to not parse information after a file URI. Still though, they made an exception for 1 letter URIs. With a bogus URI and our flag above, a MITM attack could now be performed.

In both Teams and Skype the flag --inspect flag could be inserted. This flag can specify a debugger port to connect to. Upon connecting exec("<command>") was executed, giving RCE on the device, assuming an attacker knew where to connect to. Another bug was a command injection via the --gpu-launcher parameter of Electron, which comes from Chrome. This trick was used in a previous exploit as well.

Overall, great article on the tails of their research. A few takeaways from this:

• Parsing and validation is hard to do properly! Even if validation prevents the obvious attack, see if some slight difference bypasses the validation but still works practically.
• Argument injection is a very serious bug!
• Do not trust vendors to pay out for what they say they will. There's always a loophole they will find.