Skip to content

Jackson-Pollock/cve-2017-0065

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 

Repository files navigation

Exploiting Edge's read:// urlhandler

Introduction

This exploit was reported to Microsoft and I was acknowledged for doing so. The exploit has been patched on March 14th 2017 under names cve-2017-0065 and will not work if related patches are applied. Sourcecode is provided for educational purposes only.

References:

https://technet.microsoft.com/en-us/library/security/mt745121.aspx

https://technet.microsoft.com/en-us/library/security/ms17-mar.aspx

https://www.symantec.com/security_response/vulnerability.jsp?bid=96648&om_rssid=sr-advisories

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0065

http://www.securityfocus.com/bid/96648

General

This exploit requires the victim has a forged file (exploit.html) on his file system on a known file location. Victim does not need to run it, just have it. The file can then be invoked by visiting a malicious website (malicious_server.php).

With this exploit local files may be uploaded to visited malicious websites without users consent.

Here's how to reproduce:

1. Edit exploit.html to have your test webservers address as the form action.
2. Serve malicious_server.php on a PHP enabled webserver, so you can access it with: http://yourwebserver.com/malicious_server.php
3. Place exploit.html into following folder: c:\windows\system32\drivers\etc\ (read: protocol seems picky about the file location)
4. Navigate to http://yourwebserver.com/malicious_server.php with Edge.

Here's what should happen:

1. Navigating to malicious_server.php should trigger browser redirect to: read:,c:\windows\system32\drivers\etc\exploit.html
2. exploit.html should then prompt user to click anywhere on the empty page. 
3. After a click, exploit.html will create a window with url to: read:,c:\windows\system32\drivers\etc\hosts
4. If window creation succeeds, contents of opened window (hosts file) will be copied to a hidden form, window will be closed and the form submitted back to malicious_server.php on your webserver
5. malicious_server.php will display contents of the submitted file

About

Exploiting Edge's read:// urlhandler

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HTML 55.6%
  • PHP 44.4%