Rewterz Threat Advisory – CVE-2018-8414 Microsoft Windows Shell Remote Code Execution Vulnerability

August 17, 2018

A remote code execution vulnerability exists in Microsoft Windows that can provide user privileges to an attacker

IMPACT: HIGH

PUBLISH DATE: 16-08-2018

OVERVIEW

Microsoft Windows is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.

A remote user can create a specially crafted file that, when clicked/opened by the target user, will trigger a file path validation flaw and execute arbitrary code on the target system. The code will run with the privileges of the target user.

BACKGROUND INFORMATION

A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka “Windows Shell Remote Code Execution Vulnerability.” This affects Windows 10 Servers, Windows 10.

If current user at the time of exploit is logged in with administrative privileges, the attacker could take control of the affected system, installing programs; viewing, changing, or deleting data; or creating new accounts with elevated privileges. Therefore, users with fewer privileges are less dangerous when affected, as compared to targeting of users having administrative privileges.

An attacker could either exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open it, or they could host a website that contains a specially crafted file designed to exploit the vulnerability.

However, there’s no forceful obligations by the attacker to open the file. They have to convince a user to click a link and open the specially crafted file.

ANALYSIS

This vulnerability in the Windows shell refers to the use of SettingContent-ms files —aka Windows 10 control panel shortcuts— for malware distribution. All SettingContent-ms files are nothing more than XML documents, which contain a < DeepLink > tag that specifies the on-disk location of the Windows setting page that it will open when users double-click shortcuts.

The problem lies when DeepLink tag is used with any other executables from the local system, including links to binaries such

as cmd.exe or PowerShell.exe. [two apps that allow shell command execution]

Tricking users via phishing emails using social engineering tactics proves to be an easy task. Researchers say they hosted a SettingContent-ms shortcut on a web server, and were able to download and run it without Windows 10 or Windows Defender alerting the user at all.

Furthermore, malware authors can also embed a SettingContent-ms shortcut inside Office documents with the help of an Office feature named Object Linking and Embedding (OLE). This feature allows Office users to embed other files in Office documents. It has been one of the simplest methods of running malicious code on users’ PCs.

Microsoft has counteracted this trend by disallowing the embedding of certain dangerous file types inside OLE objects. Since SettingContent-ms is a new file type, it is not included in Office’s OLE file format blacklist and malware authors can reliably use SettingContent-ms file types Office documents to execute malicious operations on users’ systems.