Git Product home page Git Product logo

cve-2017-0065's Introduction

Exploiting Edge's read:// urlhandler

Introduction

This exploit was reported to Microsoft and I was acknowledged for doing so. The exploit has been patched on March 14th 2017 under names cve-2017-0065 and MS17-007 and will not work if related patches are applied. Sourcecode is provided for educational purposes only.

References:

https://technet.microsoft.com/en-us/library/security/mt745121.aspx

https://technet.microsoft.com/en-us/library/security/ms17-mar.aspx

https://www.symantec.com/security_response/vulnerability.jsp?bid=96648&om_rssid=sr-advisories

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0065

http://www.securityfocus.com/bid/96648

General

This exploit requires the victim has a forged file (exploit.html) on his file system on a known file location. Victim does not need to run it, just have it. The file can then be invoked by visiting a malicious website (malicious_server.php).

With this exploit local files may be uploaded to visited malicious websites without users consent.

Here's how to reproduce:

1. Edit exploit.html to have your test webservers address as the form action.
2. Serve malicious_server.php on a PHP enabled webserver, so you can access it with: http://yourwebserver.com/malicious_server.php
3. Place exploit.html into following folder: c:\windows\system32\drivers\etc\ (read: protocol seems picky about the file location)
4. Navigate to http://yourwebserver.com/malicious_server.php with Edge.

Here's what should happen:

1. Navigating to malicious_server.php should trigger browser redirect to: read:,c:\windows\system32\drivers\etc\exploit.html
2. exploit.html should then prompt user to click anywhere on the empty page. 
3. After a click, exploit.html will create a window with url to: read:,c:\windows\system32\drivers\etc\hosts
4. If window creation succeeds, contents of opened window (hosts file) will be copied to a hidden form, window will be closed and the form submitted back to malicious_server.php on your webserver
5. malicious_server.php will display contents of the submitted file

cve-2017-0065's People

Contributors

dankirk avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.