The file type used to link to Windows 10’s settings page can be abused to run malicious executables or commands in a way that bypasses the OS’s defences.
Researcher Matt Nelson of SpecterOps made the discovery while he was looking for new formats for attackers to abuse now that the HTML Applications (HTA files), Visual Basic programs (VBS), JavaScript (JS), PDF and Office files are tightly controlled by Office 365 and Windows 10.
Nelson came across a format that few beyond Microsoft will have heard of: .SettingContent-ms
, used to create shortcuts to the settings page, the successor to the Control Panel.
A file with this extension is simply an XML file that contains paths to the programs used to configure Windows 10’s settings.
That brings with it some power through an option in .SettingContent-ms
called “DeepLink”, which specifies the disk location that gets invoked when opening the Settings page or the Control Panel.
Nelson discovered that “DeepLink” could be used to open anything, for example CMD.EXE
, PowerShell, or even a chain of commands, triggered by an internet link:
So, we now have a file type that allows arbitrary shell command execution and displays zero warnings or dialogs to the user.
Office would normally block commonly-abused file types when they’re referenced externally, but this file format is apparently not seen as risky.
Given this, perhaps it’s not surprising that .SettingContent-ms
currently also seems to offer a way around recent security features such as Attack Surface Reduction (ASR), which can optionally be enabled as part of Windows Defender Exploit Guard from Windows 10 Build 1709 onwards.
Aimed at enterprises, ASR is a collection of behaviour rules, including one for Child Process Creation, which Nelson found could be used to stop .SettingContent-ms
from running programs.
Unfortunately, this can be fooled simply by using an allowlisted path to an app called AppVLP.exe that’s already allowed to start child processes:
Perfect! We are able to abuse AppVLP to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule.
When Nelson reported the potential vulnerability to Microsoft:
MSRC responded with a note that the severity of the issue is below the bar for servicing and that the case will be closed.
Presumably, this is because it’s really a configuration issue that could be dealt with using an ASR rule or via Office’s blocking of OLE. Nelson offers his own suggestions for mitigation, including monitoring child processes using Sysmon.
Nelson concludes that for all its improvements, Windows 10’s evolution is always likely to offer up new and unexpected elements to exploit:
After looking into ASR and the new file formats in Windows 10, I realized that it is important to try and audit new binaries and file types that get added in each release of Windows.