PoC exploit for Windows Shell RCE released

Here’s one more reason to hurry with the implementation of the latest Microsoft patches: a PoC exploit for a remote code execution vulnerability that can be exploited via Microsoft Edge has been published and can be easily adapted by attackers.

CVE-2018-8495

About the vulnerability (CVE-2018-8495)

CVE-2018-8495 exists because Windows Shell improperly handles special characters in URIs (it does not sanitize them).

“There are multiple issues with the way the product handles URIs within certain schemes. The product does not warn the user that a dangerous navigation is about to take place,” Trend Micro’s Zero Day Initiative (ZDI) explains in the advisory. “An attacker can manipulate the user interface so that the user’s action is interpreted as permission to proceed with opening a dangerous file.”

The fact that exploitation can’t be effected without the user performing a specific action somewhat mitigates the severity of the vulnerability.

But, with the right approach, tricking users into visiting a malicious website and pressing the Enter key should not be very difficult for proficient social engineers and expert phishers who want to hit specific targets.

PoC exploit

Abdulrahman Al-Qabandi, the “computerphile and hacker” who unearthed the flaw, has shared how he was able to exploit it, as well as the PoC exploit code he wrote. He also provided a video demonstration of the exploit in action.

Al-Qabandi reported the vulnerability to Microsoft via the ZDI in July, and Microsoft has released security updates that fix it on Tuesday. At the time, there was no indication that it might have been exploited by attackers in the wild.

The vulnerability affects Windows 10 and Windows Server 2016, and Windows Server versions 1709 and 1803.