A new Windows Search zero-day vulnerability can be used to automatically open a search window that contains remotely hosted malware executables simply by launching a Word document.
The security issue can be exploited because Windows supports a URI protocol driver called “search-ms” that allows applications and HTML links to initiate custom searches on a device.
While most Windows searches will be indexed on your local device, it is also possible to force Windows search to consult file shares on remote hosts and use a custom title for the search window.
For example, the popular Sysinternals toolkit allows you to remotely mount live.sysinternals.com as a network share to launch its utilities. To search for this remote share and list only files that match a specific name, you can use the following “search-ms” URI:
search-ms: query = proc & crumb = location:% 5C% 5Clive.sysinternals.com & displayname = Searching% 20Sysinternals
As you can see in the above command, the search-ms variable ‘crumb’ specifies the location to search for and the ‘displayname’ variable specifies the title of the search.
A custom search window will appear when you run this command from a run dialog or from the web browser’s address bar in Windows 7, Windows 10, and Windows 11, as shown below.
Search for Windows on a remote shared file Source: BleepingComputer
Notice how the window title is set to the “Searching for Sysinternals” display name that we specified in the search-ms URI.
Threat actors could use this same approach for malicious attacks, where fishing emails are sent pretending to be security updates or patches that need to be installed.
They can then set up a remote Windows share that can be used to host disguised malware as security updates, and then include the search-ms URI in their attachments or phishing emails.
However, it would not be easy to get a user to click on a URL like this, especially when showing a warning, as shown below.
Browser warning when starting URIFont: BleepingComputer protocol drivers
But Hacker House co-founder and security researcher Matthew Hickey found a way to combine a newly discovered Microsoft Office OLEObject flaw with the search-ms protocol manager to open a remote search window simply by opening a Word document.
Microsoft Office takes it to the next level
This week, researchers discovered that threat actors were using a new Windows Zero-Day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). To exploit it, the threat actors created malicious Word documents that launched the “ms-msdt” URI protocol driver to execute PowerShell commands simply by opening the document.
Identified as CVE-2022-30190, the defect allows Microsoft Office documents to be modified to prevent protected viewing and launch URI protocol drivers without user interaction, which will only lead to further abuse of protocol drivers.
This was seen yesterday when Hickey converted existing Microsoft Word MSDT exploits to use the search-ms protocol manager we described earlier.
With this new PoC, when a user opens a Word document, it will automatically launch a “search-ms” command to open a Windows search window that lists the executables in a remote SMB share. This sharing can be called whatever the threat actor wants, such as “Critical Updates”, which asks users to install the listed malware.
Microsoft Office search-ms: Exploiting the URI driver, requires user interaction. Without sticking. pic.twitter.com/iYbZNtMpnx
– hackerfantastic.crypto (@hackerfantastic) June 1, 2022
Like MSDT exploits, Hickey also showed that you could create RTF versions that automatically open a Windows search window when the document is rendered in the Explorer preview pane.
Here is the same search-ms attack that is exploited via an RTF document when the Windows preview panel is enabled … 😉 pic.twitter.com/AmOeGWltjm
– hackerfantastic.crypto (@hackerfantastic) June 1, 2022
By using this type of malicious Word document, threat actors can create elaborate fishing campaigns that automatically launch Windows search windows on recipients’ devices to trick them into launching malicious software.
While this exploitation is not as serious as the MS-MSDT remote code execution vulnerability, it could lead to abusive use by actors of laborious threats who want to create sophisticated fishing campaigns.
While we’ve already found ways in which threat actors could exploit this new flaw in the wild, we won’t share this information for obvious reasons.
To mitigate this vulnerability, Hickey says you can use the same mitigation for ms-msdt exploits: remove the search-ms protocol manager from the Windows Registry.
- Run the command prompt as an administrator.
- To back up the registry key, run the command “reg export HKEY_CLASSES_ROOT \ search-ms search-ms.reg”
- Run the command “reg delete HKEY_CLASSES_ROOT \ search-ms / f”
A nightmare of Windows protocol
Both examples of MSDT and search-ms abuse are not new, initially disclosed by Benjamin Altpeter in 2020 in his thesis on the security of Electron applications.
However, it was not until recently that they began to assemble Word documents for fishing attacks without user interaction, which turned them into zero-day vulnerabilities.
According to the Microsoft guide for CVE-2022-30190, it appears that the company is addressing the flaws in the protocol drivers and their underlying Windows features, rather than the fact that threat actors can abuse Microsoft Office to launch these URIs without user interaction.
As CERT / CC Vulnerability Analyst Will Dormann says, these exploits actually use two different flaws. Without resolving the Microsoft Office URI issue, other protocol handlers will be abused.
Hickey also told BleepingComputer that he believes this is not necessarily a flaw in protocol drivers, but a combination that leads to a “Microsoft Office OLEObject search-ms location path forgery vulnerability.”
“The next best thing is to correct the capability of search capabilities and location configuration messages to prevent these fake attacks or disable it as a URI manager,” Hickey explained in a conversation about flaws.
In June, researchers accidentally revealed technical details and a proof-of-concept (PoC) exploit for a Windows Spooler RCE vulnerability called PrintNightmare.
Although the RCE component was quickly fixed, a wide range of local privilege-raising vulnerabilities were discovered and continued to be revealed under the “PrintNightmare” classification.
It wasn’t until Microsoft made some drastic changes to Windows Printing that it finally gained control of this kind of vulnerability, even though it caused numerous printing problems for a while.
By addressing the issue only alongside the Windows protocol / feature manager, Microsoft faces a new “ProtocolNightmare” classification where researchers will continue to find new URI drivers to abuse attacks.
Until Microsoft makes it impossible to launch URI drivers in Microsoft Office without user interaction, be prepared for a whole series of similar news articles as new exploits are released.