{"id":64146,"date":"2023-03-07T14:39:48","date_gmt":"2023-03-07T06:39:48","guid":{"rendered":"https:\/\/version-2.com\/?p=64146"},"modified":"2024-09-13T16:31:25","modified_gmt":"2024-09-13T08:31:25","slug":"cve-2022-44666-microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2023\/03\/cve-2022-44666-microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability\/","title":{"rendered":"CVE-2022-44666: Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/p>

CVE-2022-44666<\/a> (still 0day) is a Microsoft Windows Contacts (wab.exe) vulnerability while parsing “href” attributes into syslink controls<\/strong>, which was originally discovered, reported through ZDI<\/a> and publicly disclosed<\/a> by John Page (aka hyp3rlinx) of ApparitionSec<\/a> long time ago (~ 5 years). Full credits for discovery go to him!<\/p>

Last summer I started to study this vulnerability, either finding out further vectors to exploit this by using URL protocol handlers such as search-ms and LDAP, or file types accepted for the latest Windows versions (VCF vs Contact files). Thanks to URL protocols, there are more applications which might trigger the vulnerability (Microsoft Office + remote templates aka linked htmlfile OLE objects, web browsers and even PDF Readers).<\/p>

<\/p>

My best contribution was using LDAP URL protocol<\/strong> which makes the impact a bit higher given that the crafted contact file will be opened without further user interaction for Microsoft Word.<\/p>

On December 2022, Microsoft decided to release a patch for this vulnerability<\/a> but unfortunately the fix stays incomplete and was easy to find a variant out by using a single char “@” before the target payload. So this vulnerability still remains as 0day nowadays.<\/strong><\/p>

<\/p>

There are some caveats for this vulnerability:<\/p>

\u2705 Windows Contacts application (wab.exe) does not verify MoTW flag.<\/p>

\u2705 It’s triggerable by URI protocol LDAP.<\/p>

\u2705 This file type (.contact) associated by default to Windows Contacts application (wab.exe).<\/p>

\u2705 Downloads of these file types (.contact & .vcf) aren’t blocked by browsers, mail servers and so on.<\/p>

\u274c Syslink control click is necessary to trigger the vulnerability (1-click).<\/p>

\u274c The payloads have to already be somehow on the target system, this might imply security warnings, MoTW prompts… What about diagcab files? There are some cons but higher impact occasionally.<\/p>

\u274c Network share paths as “href” attribute are blocked by default.<\/p>

\u274c Full paths as “href” attribute are blocked by default.<\/p>

Long time ago, 0patch<\/a> released a micropatch for this issue<\/a> which has been successfully working with some minor fixes (offsets) in order to cover all the Windows versions, something that, some weeks ago, has already been deployed<\/a>. It’s the only unofficial fix which actually is full patching the vulnerability right now, waiting for an official patch that hopefully comes soon.<\/p>

My full write-up can be found in this GitHub repository<\/a> and John’s post in his website<\/a>.<\/p>

#CVE-2022-44666 #0day<\/p><\/div>

Tags<\/h4>