Windows share exploit

Ready to Start Your Career? Create Free Account. What's an SMB? The argument injection vulnerability described in this post is still present on fully patched Windows 10 and 11 systems. The patch that was issued after 5 months seems to only affect Teams and Skype in particular.

While it does prevent exploitation of the RCE PoCs described here, we believe that there are likely other ways of exploiting the argument injection to achieve code execution. After we brought this to Microsoft's attention, they said they have prepared another patch addressing the argument injection, and gave us the go-ahead to post this write-up independently of its rollout.

At the time of publishing this blog post, we could still inject arbitrary arguments and perform e. No CVE has been assigned or advisory published to inform the public about the risk, which Microsoft explained as follows:. Most of our CVEs are created to explain to users why certain patches are sent through Windows Update and why they should be installed. Changes to websites, downloads through Defender, or through the Store normally do not get a CVE attached in the same way.

In this case the fix did not go out through Windows Update. When we inquired about the bounty amount, we were prompted to provide a PoC which does not require the victim to confirm the additional "This site is trying to open LocalBridge. Vulnerabilities that are only reachable by Internet Explorer are not in scope for our bounty program today [ When a Windows 10 user either visits a malicious website with Edge, or clicks on a malicious "ms-officecmd:"-link in any application, arbitrary commands can be executed on the victim's computer.

A malicious link can look like this:. Another browser demo video showing exploitation by clicking a link is also attached. An attacker in the local network can then connect to this port and run native code also tested with Skype as the target - injecting application-specific arguments, e.

This can be combined with Chrome's auto-download behaviour to gain abritrary code execution after a security warning. The vulnerability is in a default URI handler of Windows 10 and can be exploited from various applications.

In a default Windows 10 installation, LocalBridge. The scheme is used internally by the Office PWA application to launch other Microsoft applications, but such links can be opened by any application, e.

Additional checks are performed on the filename value, e. We investigated the potential impact of being able to launch those Microsoft apps with a user-chosen URI argument and found two attack vectors using Outlook:. Publicly disclosed by security researcher Abdelhamid Naceri on a Github post last Sunday , the vulnerability allows for local privilege escalation from user-level privileges up to SYSTEM level - the highest security clearance possible.

According to the security researcher, this exploit works in all supporting versions of Windows - including fully-patched Windows 11 and Windows Server installations. Before posting the exploit on GitHub, Naceri first disclosed it to Microsoft and worked with the company to analyze the vulnerability.

Microsoft introduced a mitigation for the CVE zero-day exploit in November 's Patch Tuesday - but apparently failed to remediate the issue completely. Naceri then took to his GitHub post to provide a proof-of-concept exploit of the vulnerability that works even after Microsoft's mitigations were applied. External Remote Services. Hardware Additions.

Spearphishing via Service. Replication Through Removable Media. Supply Chain Compromise. Compromise Software Dependencies and Development Tools. Compromise Software Supply Chain. Compromise Hardware Supply Chain. Trusted Relationship. Valid Accounts. Default Accounts. Domain Accounts. Local Accounts. Cloud Accounts. Command and Scripting Interpreter. Windows Command Shell. Unix Shell. Visual Basic. Network Device CLI. Container Administration Command. Deploy Container.

Exploitation for Client Execution. Inter-Process Communication. Component Object Model. Dynamic Data Exchange. Native API. At Linux. At Windows.

Scheduled Task. Systemd Timers. Container Orchestration Job. Shared Modules. Software Deployment Tools. System Services. Service Execution. User Execution. Malicious Link. Malicious File. Malicious Image. Windows Management Instrumentation. Account Manipulation. Additional Cloud Credentials. Exchange Email Delegate Permissions.

Add Office Global Administrator Role. SSH Authorized Keys. BITS Jobs. Boot or Logon Autostart Execution. Authentication Package.

Time Providers. Winlogon Helper DLL. Security Support Provider. Kernel Modules and Extensions. Re-opened Applications. Shortcut Modification. Port Monitors. Plist Modification. Print Processors. XDG Autostart Entries. Active Setup. Login Items. Boot or Logon Initialization Scripts. Logon Script Windows. Logon Script Mac.

Network Logon Script. RC Scripts. Startup Items. Browser Extensions. Compromise Client Software Binary. Create Account. Local Account. Domain Account. Cloud Account. Create or Modify System Process. Launch Agent. Systemd Service. Windows Service.

Launch Daemon. Event Triggered Execution. Change Default File Association. Windows Management Instrumentation Event Subscription. Unix Shell Configuration Modification. Netsh Helper DLL. Accessibility Features. AppCert DLLs. AppInit DLLs. Application Shimming. Image File Execution Options Injection. PowerShell Profile. Component Object Model Hijacking. Hijack Execution Flow.

DLL Side-Loading. Dylib Hijacking. Executable Installer File Permissions Weakness. Dynamic Linker Hijacking. Path Interception by Search Order Hijacking.

Path Interception by Unquoted Path. Services File Permissions Weakness. Services Registry Permissions Weakness. Implant Internal Image. Modify Authentication Process. Domain Controller Authentication. Password Filter DLL. Pluggable Authentication Modules. Network Device Authentication. Office Application Startup. Office Template Macros. Office Test. Outlook Forms. Outlook Home Page.

Outlook Rules. Pre-OS Boot. System Firmware. Component Firmware. TFTP Boot. Server Software Component. SQL Stored Procedures. Transport Agent. Web Shell. IIS Components. Traffic Signaling. Port Knocking. Privilege Escalation. Abuse Elevation Control Mechanism. Setuid and Setgid. Bypass User Account Control.

Sudo and Sudo Caching. Elevated Execution with Prompt. Access Token Manipulation. Create Process with Token. Make and Impersonate Token.

Parent PID Spoofing. SID-History Injection. Domain Policy Modification. Group Policy Modification. Domain Trust Modification. Escape to Host. Exploitation for Privilege Escalation. Process Injection. Dynamic-link Library Injection. Portable Executable Injection. Thread Execution Hijacking.

Asynchronous Procedure Call. Thread Local Storage. Ptrace System Calls. Proc Memory. Extra Window Memory Injection. Process Hollowing. VDSO Hijacking. Defense Evasion. Build Image on Host. Direct Volume Access. Execution Guardrails. Environmental Keying. Exploitation for Defense Evasion.

File and Directory Permissions Modification. Windows File and Directory Permissions Modification. Hide Artifacts. Hidden Files and Directories. Hidden Users.

Hidden Window. Hidden File System. Run Virtual Instance. VBA Stomping. Email Hiding Rules. Resource Forking. Impair Defenses. Disable or Modify Tools.

Disable Windows Event Logging. Impair Command History Logging. Disable or Modify System Firewall. Indicator Blocking.