The flurry of security bugs Microsoft addressed with this month’s rollout of updates includes a remote code execution vulnerability in Edge web browser. The glitch relies on abusing URI schemes and scripts in Windows that can run with user-defined parameters.
Now tracked as CVE-2018-8495, the bug was discovered by security researcher Abdulrahman Al-Qabandi.
His investigation started from the simple response to the ‘mailto’ URI scheme in Microsoft Edge when he noticed that Outlook would launch with a parameter customized for the scenario at hand.
By searching the Windows Registry for executables that accepted user-defined commands, Al-Qabandi found Windows Script Host (‘WScript.exe’), which can execute scripts in multiple languages.
Upon testing the URI scheme ‘wshfile:test’ in Microsoft Edge, the first response from the operating system was to ask the user for an app to handle the procedure. Windows Script Host (WSH) is the default handler.
Armed with a supported URI scheme that could execute files located under a user-defined path, the researcher tested to see if using the path traversal trick would have WSH load a VBScript from an arbitrary location, and the result was positive.
“Awesome! We can now point to any file in any directory and so long as we can drop a file in a predictable location, we will have RCE,” the researcher explains in his write-up for the bug.
Predictable location needed
Edge caches files into unpredictable locations, though, which makes all the research effort so far futile unless there was a way to make the VBScript called through the URI scheme code accept arguments that could be crafted in a way to launch files in known locations on the computer.
Luckily, previous research showed how to achieve this with a particular signed VBScript that suffered from “WSH Injection,” and specified that more similar cases existed in Windows.
Al-Qabandi’s hunt for VBScripts that accepted user-defined parameters yielded ‘SyncAppvPublishingServer.vbs.’ The file can also execute commands via PowerShell without filtering them.
The process is invisible to the user, who sees only the end result, because PowerShell runs with the command line argument ‘-WindowStyle Hidden.’
Short PoC code snippet available
As a bonus, Microsoft Edge did not sanitize quotation marks, so an attacker could pass multiple arguments to ‘WScript.exe.’
To demonstrate his findings, Al-Qabandi created a proof-of-concept (PoC) script that includes a solution for automatically handling the prompt that asks the user to choose the application that handles the URI scheme.
The researcher disclosed the problem privately to Microsoft through Trend Micro’s Zero Day Initiative program that handles the communication with affected vendors and ensures responsible disclosure.