Researcher releases PoC for Windows VCF file RCE vulnerability
A vulnerability that exists in the way Windows processes VCard files (.vcf) can be exploited by remote attackers to achieve execute arbitrary code on vulnerable systems, security researcher John Page has shared.
What’s a VCard?
VCF is a standard file format used for storing contact information for individuals and businesses. They can contain the contact’s name, address, email address, phone number, their business or personal web page, etc.
They are often used to quickly share contact information with interested parties, as they can be sent via email or message.
About the vulnerability
The way Windows processes VCF files allows attackers to insert a dangerous hyperlink into the file, while being sure that the vulnerable OS won’t show a warning when the target tries to follow it.
Page also provided a Proof-of-Concept exploit for the flaw, in which he named the dangerous executable file with a name that, at first glance, looks like a regular web address (www.hyp3rlinx.altervista.cpl). He then created a malicious VCF file with an URL pointing to the malicious executable.
A victim clicking on the provided “website” link will trigger the execution of the executable, and Windows will not warn about the danger.
Here’s a video demonstration of the exploit:
The vulnerability will not be fixed
Page has disclosed the vulnerability to Microsoft via the Trend Micro Zero Day Initiative.
The company apparently first said it would be fixing the flaw in an upcoming Windows version, then decided against it.
Granted, the vulnerability can’t be exploited remotely without user interaction, but users often don’t think twice about following links (whether they look safe or not).
Still, the PoC exploit requires the malicious executable to be previously downloaded by the user (or automatically downloaded via a drive-by download), so exploitation is not as straightforward as “get the VCF file to the user, wait for them to follow the link.”