New Windows Search zero-day added to Microsoft protocol nightmare

LASER_oneXM · Jun 2, 2022

A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document.

The security issue can be leveraged because Windows supports a URI protocol handler called 'search-ms' that allows applications and HTML links to launch customized searches on a device.
While most Windows searches will look on the local device's index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.

For example, the popular Sysinternals toolset allows you to remotely mount live.sysinternals.com as a network share to launch their utilities. To search this remote share and list only files matching a particular name, you could use the following 'search-ms' URI:

search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals

As you can see from the command above, the search-ms 'crumb' variable specifies the location to search, and the 'displayname' variable specifies the search title.
A customized search window will appear when this command is executed from a Run dialog or web browser address bar on Windows 7, Windows 10, and Windows 11, as shown below.

ForgottenSeer 69673 · Jun 2, 2022

So soon with another URI theme? Looks like Andy was right. They are just going to keep coming.

Azure · Jun 2, 2022

Cyndie Ihyr said:
This attack is trivial to defeat; just disable explorer.exe network access. There might also be a method to disable the search-ms: URl protocol handler in the registry.

this article has some workarounds in addition to the official given by Microsoft

Here is how to protect Windows PCs from Protocol vulnerabilities - gHacks Tech News

Instructions for Windows client and server administrators to protect Windows devices against protocol vulnerabilities.

www.ghacks.net

wat0114 · Jun 3, 2022

I'm interested to se what @Andy Ful has to say about this. I'm guessing his tools (SWH, CF, H_C) would block this.

Andy Ful · Jun 3, 2022

wat0114 said:
I'm interested to se what @Andy Ful has to say about this. I'm guessing his tools (SWH, CF, H_C) would block this.

The CmdLine:
search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals
does not work on my computer even without SWH, CD, FH, and H_C. The error 0x80070035 is shown (The network path was not found).

Can it work on your computer?

wat0114 · Jun 4, 2022

Andy Ful said:
The CmdLine:
search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals
does not work on my computer even without SWH, CD, FH, and H_C. The error 0x80070035 is shown (The network path was not found).

Can it work on your computer?

Nope. I get this:

C:\Windows\system32>search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals
The filename, directory name, or volume label syntax is incorrect.
'crumb' is not recognized as an internal or external command,
operable program or batch file.
'displayname' is not recognized as an internal or external command,
operable program or batch file.

Andy Ful · Jun 4, 2022

wat0114 said:
Nope. I get this:

C:\Windows\system32>search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals
The filename, directory name, or volume label syntax is incorrect.
'crumb' is not recognized as an internal or external command,
operable program or batch file.
'displayname' is not recognized as an internal or external command,
operable program or batch file.

This error comes up when the CmdLine is run via a web browser. Try also to use the Windows built-in "Run dialog" (Windows button + R).

wat0114 · Jun 4, 2022

Andy Ful said:
Try also to use the Windows built-in "Run dialog" (Windows button + R).

Using Run dialog Windows button + R:

...so the same error as yours.

Andy Ful · Jun 9, 2022

The proper CmdLine for home computers:

search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com@ssl%5CDavWWWRoot&displayname=Searching%20Sysinternals

Andy Ful · Jun 10, 2022

The search-ms works in an interesting way. If I block the Explorer outbound connections and run the exploit via the "Run" dialog (and before the web browser could be used), then the exploit is blocked (the log shows the blocked event for Explorer).
But, If I use a web browser then the exploit works even if the Explorer outbound connections are blocked. Furthermore, after that, it starts working also when I use the "Run" dialog (the connections start using Svchost).

wat0114 · Jun 10, 2022

Andy Ful said:
The search-ms works in an interesting way. If I block the Explorer outbound connections and run the exploit via the "Run" dialog (and before the web browser could be used), then the exploit is blocked (the log shows the blocked event for Explorer).
But, If I use a web browser then the exploit works even if the Explorer outbound connections are blocked. Furthermore, after that, it starts working also when I use the "Run" dialog (the connections start using Svchost).

Wow, yes, exactly the same results here. I used Edge as the browser.

Search

New Windows Search zero-day added to Microsoft protocol nightmare

LASER_oneXM

Level 37

ForgottenSeer 69673

Azure

Level 28

Here is how to protect Windows PCs from Protocol vulnerabilities - gHacks Tech News

wat0114

Level 12

Andy Ful

From Hard_Configurator Tools

wat0114

Level 12

Andy Ful

From Hard_Configurator Tools

wat0114

Level 12

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

wat0114

Level 12

Similar threads