The file type used to link to Windows 10’s settings page can be abused to run malicious executables or commands in a way that bypasses the OS’s defences.
Researcher Matt Nelson of SpecterOps made the discovery while he was looking for new formats for attackers to abuse now that the HTML Applications (HTA files), Visual Basic programs (VBS), JavaScript (JS), PDF and Office files are tightly controlled by Office 365 and Windows 10.
Nelson came across a format that few beyond Microsoft will have heard of: .SettingContent-ms, used to create shortcuts to the settings page, the successor to the Control Panel.
A file with this extension is simply an XML file that contains paths to the programs used to configure Windows 10’s settings.
That brings with it some power through an option in .SettingContent-ms called “DeepLink”, which specifies the disk location that gets invoked when opening the Settings page or the Control Panel.
Nelson discovered that “DeepLink” could be used to open anything, for example CMD.EXE, PowerShell, or even a chain of commands, triggered by an internet link:
So, we now have a file type that allows arbitrary shell command execution and displays zero warnings or dialogs to the user.
Office would normally block commonly-abused file types when they’re referenced externally, but this file format is apparently not seen as risky.
Given this, perhaps it’s not surprising that .SettingContent-ms currently also seems to offer a way around recent security features such as Attack Surface Reduction (ASR), which can optionally be enabled as part of Windows Defender Exploit Guard from Windows 10 Build 1709 onwards.
Aimed at enterprises, ASR is a collection of behaviour rules, including one for Child Process Creation, which Nelson found could be used to stop .SettingContent-ms from running programs.
Unfortunately, this can be fooled simply by using an allowlisted path to an app called AppVLP.exe that’s already allowed to start child processes:
Perfect! We are able to abuse AppVLP to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule.
When Nelson reported the potential vulnerability to Microsoft:
MSRC responded with a note that the severity of the issue is below the bar for servicing and that the case will be closed.
Presumably, this is because it’s really a configuration issue that could be dealt with using an ASR rule or via Office’s blocking of OLE. Nelson offers his own suggestions for mitigation, including monitoring child processes using Sysmon.
Nelson concludes that for all its improvements, Windows 10’s evolution is always likely to offer up new and unexpected elements to exploit:
After looking into ASR and the new file formats in Windows 10, I realized that it is important to try and audit new binaries and file types that get added in each release of Windows.
anon
Say what?
Will we get a fix or not?
Adrian Venditti
“Won’t fix” is Microsoft “head in the sand” response:
When Nelson reported the potential vulnerability to Microsoft:
MSRC responded with a note that the severity of the issue is below the bar for servicing and that the case will be closed.
Paul Ducklin
AFAICS, this “vulnerability” isn’t the sort of hole that would allow crooks to implant and run malware undetected. If Microsoft were to agree to allocate time to fix this issue, I’d be on my feet to argue that there are better “visual trick” issues to fix first: [a] make “show file extensions” the default and [b] figure out a way to make LNK files harder to disguise. (the only thing that tells you a LNK file isn’t, say, the PDF file its icon claims it to be is a tiny hooked arrow painted at the bottom of the icon).
Olivier
The hooked arrow in question is not tiny at all: it takes up about a fourth of the icon, which it overlaps, and it is impossible to miss.
Paul Ducklin
I disagree most strongly, and I have the research and pictures to prove it :-)
Here’s a piece I did a couple of years ago, with the screenshots that led me to form the opinion that LNK files (which can be fitted up with scripts and bogus icons) are visually unclear:
https://nakedsecurity.sophos.com/2016/08/03/beware-of-ransomware-hiding-in-shortcuts/
Adrian Venditti
Quoting from the article “Unfortunately, this can be fooled simply by using an allowlisted path to an app called AppVLP.exe that’s already allowed to start child processes:” so perhaps add this app to the malware list in antivirus software?
Nomphra
Below the bar for servicing!?! On what planet!?
I could also use this as an opportunity to rant about how the “Settings Page” is a worthless pile of junk that is mostly just a poor overlay for the way more functional Control Panel, with half the stuff in there just diverting you to Control Panel anyway, but I’ll keep it short! :P
Spryte
15 years ago I was writing .hta files to automate processes, select available databases for query, put raw data into Excel, enumerate printers or installed software versions all using simple html with some VBS, JS and/or Microsoft LogParser.
There is nothing inherently wrong with .hta files, just as there is nothing inherently wrong PDF or other types of files that can harbour possibly malicious code.
The problem lies in how the OS handles these files and their embedded code.