[German]Following the discovery of the Follina vulnerability exploit (CVE-2022-30190) via the Windows ms-msdt protocol, this bastion is being "stormed". A hacker looked at the search-ms: URI handler in Windows 10 and developed an exploit similar to Follina. With the help of Office 2019, he can open Windows Search via the protocol handler. Colleagues at Bleeping Computer have already coined the term SearchNightmare for this 0-day exploit.
Advertising
On Facebook, I was alerted to the following tweet from hackerfantastic.crypto in a private message. He was able to call the search-ms: URI handler on Windows 10 using Microsoft Office 2019 to gain SYSTEM privileges.
The new zero-day vulnerability in Windows Search can be used to automatically open a search window where remote malware can be executed by launching a Word document. This is effectively a similar attack to one via the Windows ms-msdt protocol (Follina vulnerability CVE-2022-30190). This is because Matthew Hickey has used a modified exploit that chains the Microsoft Office OLEObject vulnerability to the Windows search-ms protocol handler.
The search-ms URI protocol handler allows applications and HTML links to launch custom searches on a device. Thus, the exploit can be used to open the Windows search window or list files on remote shares by opening a Word document. The colleagues from Bleeping Computer point out here that external URLs can also be included in the search. This Sysinternals tools can be mounted as a network share via the following command from live.sysinternals.com to run utilities. To search this remote share and list only files that match a specific name, you could use the following "search-ms" URI:
Advertising
search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals
This works in Windows 7 SP1 up to Windows 11. An attacker could use this approach for malicious actions and, for example, link alleged security updates via search-ms-URI in phishing emails. The links could then be used to set up a remote Windows share to host malware disguised as security updates.
Threat actors can use this method to create sophisticated phishing campaigns. The campaigns involve hosting Windows shares publicly. Then the malware could be spread remotely through the Windows search windows opened by phishing attacks/malicious Word documents. Although the user would then have to click the link and confirm the displayed warning when opening the search (see the image in the following tweet).
The hacker gives his steps to mitigate the attack path in the following tweet:
1. run the command prompt as an administrator.
2. to back up the registry key, run the command "reg export HKEY_CLASSES_ROOT\search-ms filename".
3. run the command "reg delete HKEY_CLASSES_ROOT\search-ms /f".
The sequence of steps remove the entry for the search-ms URI protocol trader from the registry. As also addressed in the post Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190), removing the key is not enough to fix the vulnerability. The protocol handler could still be entered in other registry branches (HKCU, HKLM).
The text here is a quick sum up and description. Analysis and mitigation of the vulnerability by security researchers will reveal some more findings. The colleagues at Bleeping Computer have published some information about it here. Benjamin Altpeter from TU-Braunschweig already described the two vulnerabilities with ms-msdt protocol and in the search-m URI handler in 2020 in his dissertation on Elektron application security.
Similar articles
Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190)
Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks
0Patch Micro patch against Follina vulnerability (CVE-2022-30190) in Windows
Advertising
It's worth noting that the above example fails if you're attempting it from behind most correctly configured corporate firewalls (which, of course, block SMB outbound). But if you substitute the WEBDAV version of the reference, it works fine:
search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com@ssl%5CDavWWWRoot&displayname=Searching%20Sysinternals