CreateRCE — Yet Another Vulnerability in CreateUri

CreateRCE — Yet Another Vulnerability in CreateUri

Akamai researcher Ben Barnea found a critical vulnerability in Microsoft Windows, which was assigned CVE-2023-35628.
Akamai 研究员 Ben Barnea 在 Microsoft Windows 中发现了一个严重漏洞,该漏洞的编号为 CVE-2023-35628。

Executive summary 摘要

  • Akamai researcher Ben Barnea found a critical vulnerability in Microsoft Windows, which was assigned CVE-2023-35628.
    Akamai 研究员 Ben Barnea 在 Microsoft Windows 中发现了一个严重漏洞,该漏洞的编号为 CVE-2023-35628。

  • An attacker on the internet can trigger the vulnerability against Outlook clients without any user interaction (zero-click).
    Internet 上的攻击者无需任何用户交互(零单击)即可触发针对 Outlook 客户端的漏洞。

  • The vulnerability lies in the parsing of a path by the CreateUri function. We are currently aware of two ways to trigger this vulnerability: (1) by sending a crafted email to an Outlook client, or (2) by enticing a user to navigate File Explorer to a folder containing a malicious downloaded file.
    该漏洞存在于 CreateUri 函数对路径的解析中。我们目前发现有两种方法可以触发此漏洞:(1) 通过向 Outlook 客户端发送精心制作的电子邮件,或 (2) 诱使用户将文件资源管理器导航到包含恶意下载文件的文件夹。

  • The vulnerability was responsibly disclosed to Microsoft and addressed on December 2023’s Patch Tuesday.
    该漏洞已负责任地披露给 Microsoft,并在 2023 年 12 月的补丁星期二得到解决。

  • Windows machines with the December 2023 software update installed are protected from this vulnerability. Additionally, Outlook clients that use Exchange servers patched with March 2023 software update are protected against the abused feature.
    安装了 2023 年 12 月软件更新的 Windows 计算机受到此漏洞保护。此外,使用修补了 2023 年 3 月软件更新的 Exchange 服务器的 Outlook 客户端受到保护,不会受到滥用功能的影响。

Introduction 介绍

The omnipresence of Microsoft in the enterprise and beyond makes it a large (and lucrative) target for attackers. As such, we have done extensive research into the suite of products and protocols — finding both vulnerabilities and building tools to assist with detection and mitigation.
Microsoft在企业内外无处不在,使其成为攻击者的一个巨大(且有利可图)的目标。因此,我们对产品和协议套件进行了广泛的研究,既发现了漏洞,又构建了有助于检测和缓解的工具。

As part of this research, we discovered a new remote code execution (RCE) vulnerability in the WinAPI function CreateUri that is called as part of the patch for the original vulnerability CVE-2023-23397. While the previous RCE vulnerability chain needed to chain together two vulnerabilities to achieve a zero-click RCE primitive, this vulnerability can do so on its own. In addition to Outlook, we’ll also show you how to trigger the vulnerability in File Explorer.
作为这项研究的一部分,我们在 WinAPI 函数 CreateUri 中发现了一个新的远程代码执行 (RCE) 漏洞,该漏洞是作为原始漏洞 CVE-2023-23397 补丁的一部分调用的。虽然之前的 RCE 漏洞链需要将两个漏洞链接在一起才能实现零点击 RCE 原语,但这个漏洞可以自行完成。除了 Outlook,我们还将向您展示如何在文件资源管理器中触发漏洞。

The vulnerability saga 漏洞传奇

Among the vulnerabilities addressed as part of the March 2023’s Patch Tuesday was a critical Outlook vulnerability discovered by Microsoft themselves (assigned CVE-2023-23397) which was exploited in the wild by a Russian state-sponsored threat actor called Forest Blizzard.
作为 2023 年 3 月补丁星期二的一部分解决的漏洞包括 Microsoft 自己发现的一个关键 Outlook 漏洞(分配为 CVE-2023-23397),该漏洞被俄罗斯国家支持的威胁行为者森林暴雪在野外利用。

In December 2023, Microsoft and the Polish Cyber Command published that they had seen recent exploitation attempts of the vulnerability by the same threat actor. The vulnerability allowed an attacker to coerce an Outlook client to connect to the attacker’s server. As part of this connection, the client sends their NTLM credentials to the attacker, who can then crack them offline, or use them in a relay attack. This vulnerability could be exploited remotely over the internet without any user interaction (zero click).
2023 年 12 月,Microsoft 和波兰网络司令部发布消息称,他们最近看到同一威胁行为者试图利用该漏洞。该漏洞允许攻击者强制 Outlook 客户端连接到攻击者的服务器。作为此连接的一部分,客户端将其 NTLM 凭据发送给攻击者,然后攻击者可以脱机破解它们,或在中继攻击中使用它们。此漏洞可通过互联网远程利用,无需任何用户交互(零点击)。

After the patch for this vulnerability was released, we found two bypasses along with a sound parsing vulnerability. Chaining both the bypass and the parsing vulnerabilities could lead to a full zero-click RCE primitive on the Outlook client.
此漏洞的补丁发布后,我们发现了两个绕过以及一个声音解析漏洞。链接绕过漏洞和解析漏洞可能会导致 Outlook 客户端上出现完全零单击 RCE 原语。

MapUrlToZone

As part of the patch for the Outlook vulnerability CVE-2023-23397, the code that is responsible for handling a custom reminder sound adds a call to MapUrlToZone. The call checks that the provided URL, specified through the extended MAPI property PidLidReminderFileParameter, does not point to an internet resource.
作为 Outlook 漏洞 CVE-2023-23397 修补程序的一部分,负责处理自定义提醒声音的代码添加了对 MapUrlToZone 的调用。调用将检查通过扩展的 MAPI 属性 PidLidReminderFileParameter 指定的提供的 URL 是否不指向 Internet 资源。

Although this mitigates the initial vulnerability, it adds a new attack surface — the function MapUrlToZone itself; we control the path that is being passed to MapUrlToZone.
虽然这缓解了最初的漏洞,但它增加了一个新的攻击面 – 函数 MapUrlToZone 本身;我们控制传递给 MapUrlToZone 的路径。

As part of the parsing done by MapUrlToZone, it calls CreateUriCreateUri creates an IUri object representing a Uniform Resource Identifier (URI). To create the object, the function knows to parse both URLs and some of the DOS Windows paths.
作为 MapUrlToZone 完成的分析的一部分,它调用 CreateUri。CreateUri 创建一个表示统一资源标识符 (URI) 的 IUri 对象。要创建对象,该函数知道要解析 URL 和一些 DOS Windows 路径。

When CreateUri is called with a file path (e.g., using file:// scheme, or a Windows path pointing to a file/directory), the function CrackUrlFile is called. This is also the function that contained the bypasses described in the previous blog post.
当使用文件路径调用 CreateUri(例如,使用 file:// 方案或指向文件/目录的 Windows 路径)时,将调用函数 CrackUrlFile。这也是包含上一篇博客文章中描述的旁路的功能。

The new vulnerability 新漏洞

At the beginning of CrackUrlFile, if it receives a URL rather than a Windows path, it creates a copy of the input, and then transforms the URL copy to a Windows path using PathCreateFromUrlW. The working buffer is marked as dynamically allocated, so it would know to free it later on. If the function receives a Windows path, it directly works on the input path, and thus it doesn’t need to free the pointer.
在 CrackUrlFile 的开头,如果它收到的是 URL 而不是 Windows 路径,它会创建输入的副本,然后使用 PathCreateFromUrlW 将 URL 副本转换为 Windows 路径。工作缓冲区被标记为动态分配,因此它知道稍后要释放它。如果函数接收到 Windows 路径,则它直接在输入路径上工作,因此不需要释放指针。

During the parsing of the working buffer, the buffer can be advanced; e.g., if it’s a local device path (begins with “\\.\” or “\\?\”), the function advances the pointer by four characters. Then, if the device name is “UNC\”, it advances by four more characters. If there are multiple backslashes, the function also advances the buffer past the duplicated backslashes.
在解析工作缓冲区期间,可以推进缓冲区;例如,如果它是本地设备路径(以“\\.\”或“\\?\”开头),则该函数会将指针前进四个字符。然后,如果设备名称为“UNC\”,则再前进四个字符。如果有多个反斜杠,该函数还会将缓冲区推进到重复的反斜杠之后。

As part of our reversing of the patches to the bypasses, we noticed new code added in CrackUrlFile in July 2023, which seemed to be unrelated to our bypasses (Figure 1).
作为我们撤销绕过补丁的一部分,我们注意到 2023 年 7 月在 CrackUrlFile 中添加了新代码,这似乎与我们的绕过无关(图 1)。

CreateRCE — Yet Another Vulnerability in CreateUriFig. 1: Decompilation of newly added code
图 1:新添加代码的反编译

As part of the parsing of the path, the function checks whether the path component is of either a drive path or rooted path. If yes, it marks the path as local. The new code overrides the original buffer pointer with a pointer to the path component (the advanced buffer) if the path is a drive path.
作为路径分析的一部分,该函数检查路径组件是驱动器路径还是根路径。如果是,则将路径标记为本地路径。如果路径是驱动器路径,则新代码会使用指向路径组件(高级缓冲区)的指针覆盖原始缓冲区指针。

This is the origin of the bug: The pointer that was advanced is saved. Later on, the original buffer pointer (PPWorkingBuffer in Figure 1) is retrieved and freed if it was dynamically allocated. Since it was overridden with the advanced pointer, a call to free() happens with a pointer that was not returned by malloc. This gives an attacker a primitive to provide the memory allocator with a malicious chunk’s metadata.
这是错误的起源:高级指针被保存。稍后,如果原始缓冲区指针(图 1 中的 PPWorkingBuffer)是动态分配的,则将检索并释放它。由于它被高级指针覆盖,因此对 free() 的调用会使用 malloc 未返回的指针发生。这为攻击者提供了一个基元,以向内存分配器提供恶意块的元数据。

For the vulnerability to be triggered, we first need to specify a file scheme URL, with a UNC path. Then, we need to mark the path as a drive path, so we must use a share (C:). The full path to trigger the vulnerability will look like this:
对于要触发的漏洞,我们首先需要指定一个具有 UNC 路径的文件方案 URL。然后,我们需要将路径标记为驱动路径,因此我们必须使用共享(C:)。触发漏洞的完整路径如下所示:

file://./UNC/C:/Akamai.com/file.wav

The fixed code now copies the bytes of the path component using RtlMoveMemory, instead of saving the pointer.
修复的代码现在使用 RtlMoveMemory 复制路径组件的字节,而不是保存指针。

Triggering through Explorer
通过资源管理器触发

Although it was out of the scope of our research to find such places, we made one quick attempt: Triggering it through Windows Explorer.
虽然找到这些地方超出了我们的研究范围,但我们做了一个快速的尝试:通过 Windows 资源管理器触发它。

To do so, we created a shortcut (.lnk file) pointing to the vulnerable path. Once the victim views the directory in which the shortcut file resides, the vulnerability is triggered in Explorer, which leads to an immediate crash (Figure 2).
为此,我们创建了一个指向易受攻击路径的快捷方式(.lnk 文件)。一旦受害者查看快捷方式文件所在的目录,就会在资源管理器中触发该漏洞,从而导致立即崩溃(图 2)。

To test if your machine is vulnerable to this issue, you are welcome to download our proof of concept (PoC) that will crash Explorer. (Carefully read the specifics and risks about the PoC in our security research repo prior to use.)
要测试您的计算机是否容易受到此问题的影响,欢迎您下载我们的概念验证 (PoC),这将使 Explorer 崩溃。(在使用之前,请仔细阅读我们的安全研究存储库中有关 PoC 的细节和风险。

CreateRCE — Yet Another Vulnerability in CreateUriFig. 2: Explorer crashing as a result of the PoC
图 2:Explorer 因 PoC 而崩溃

Summary 总结

This is our final blog post about the research on the potential impact of  CVE-2023-23397.
这是我们关于 CVE-2023-23397 潜在影响研究的最后一篇博文。

In May 2023, when we discovered the first bypass, we recommended removing the abused feature since using MapUrlToZone adds a new attack surface. We also mentioned that exposing a sound parsing attack surface to a remote attacker in a zero-click manner, without any sandbox, presents more dangers to users than value.
2023 年 5 月,当我们发现第一个绕过时,我们建议删除滥用的功能,因为使用 MapUrlToZone 会增加新的攻击面。我们还提到,在没有任何沙盒的情况下,以零点击方式将声音解析攻击面暴露给远程攻击者,对用户造成的危险大于价值。

In our subsequent research, we managed to exactly prove that by finding two bypasses, finding a sound parsing issue, and, finally, finding a Windows path parsing memory corruption.
在我们随后的研究中,我们设法通过找到两个绕过,找到一个声音解析问题,最后找到一个解析内存损坏的 Windows 路径来精确地证明这一点。

We hope you learned new things about Windows paths, sound codecs, and different vulnerabilities via thes posts. We encourage other researchers to look at patches and think how they can be bypassed. We can not rule out that more MapUrlToZone bypasses exist.
我们希望您通过这些帖子了解有关 Windows 路径、声音编解码器和不同漏洞的新知识。我们鼓励其他研究人员查看补丁并思考如何绕过它们。我们不能排除存在更多的 MapUrlToZone 绕过。

Want more? 想要更多?

原文始发于Ben Barnea:CreateRCE — Yet Another Vulnerability in CreateUri

版权声明:admin 发表于 2024年4月19日 下午9:45。
转载请注明:CreateRCE — Yet Another Vulnerability in CreateUri | CTF导航

相关文章