remmons-r7's assessment of CVE-2024-38112

Description

Windows MSHTML Platform Spoofing Vulnerability

Add Assessment

remmons-r7 (45)

July 19, 2024 2:51pm UTC (4 months ago)•

Ratings

Attacker Value

Medium

Exploitability

Low

CISA KEV Listed Common in enterprise Vulnerable in default configuration Difficult to weaponize Requires user interaction

Technical Analysis

Trend Micro reported this vulnerability to Microsoft after observing Void Banshee APT exploitation in the wild; the zero-day attack hinged on the premise that MHTML links would automatically open in the old Internet Explorer engine. Within the old engine context, HTA files will prompt to open by default, facilitating easier code execution. The threat actors were observed appending many spaces to the file name to misrepresent the secondary HTA file as a PDF in the IE pop-up box. Additionally, Check Point researcher Haifei Li is credited for a report that resulted in a “Defense-in-depth” patch for this chain, which is probably related to the HTA file name misrepresentation trick.

The process of exploitation would typically look like this:

An attacker site is visited or a phishing message is sent to the victim.
The victim downloads a malicious “.url” file that masquerades as a legitimate document.
The victim clicks the “.url” payload, opening the embedded “mhtml:” link and launching Internet Explorer.
The IE engine prompts the user to open the second-stage HTA file.
The victim clicks “open” on the pseudo-PDF prompt.
The victim clicks “Allow” on the IE security prompt for the “HTML Application host” execution.

In summary, the intent of this attack chain is to misrepresent and remove some security hurdles for malware execution on Windows. Successful exploitation does still require quite a bit of clicking through prompts by the user. However, this is likely enough to significantly increase execution numbers for the affiliated malware campaign, which was reported to be deploying information stealers.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

5.9

Exploitability Score:

1.6

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Windows 10 Version 22H2 10.0.19045.4651

Windows 11 Version 23H2 10.0.22631.3880

Windows 10 Version 1507 10.0.10240.20710

Windows 11 version 22H2 10.0.22621.3880

Windows 10 Version 1607 10.0.14393.7159

Windows Server 2016 10.0.14393.7159

Windows 10 Version 21H2 10.0.19044.4651

Windows Server 2016 (Server Core installation) 10.0.14393.7159

Windows Server 2008 Service Pack 2 6.0.6003.22769

Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.22769

Windows Server 2008 Service Pack 2 6.0.6003.22769

Windows 10 Version 1809 10.0.17763.6054

Windows Server 2012 R2 6.3.9600.22074

Windows 11 version 22H3 10.0.22631.3880

Windows Server 2012 R2 (Server Core installation) 6.3.9600.22074

Windows Server 2022 10.0.20348.2582

Windows Server 2022, 23H2 Edition (Server Core installation) 10.0.25398.1009

Windows Server 2019 (Server Core installation) 10.0.17763.6054

Windows 11 version 21H2 10.0.22000.3079

Windows Server 2019 10.0.17763.6054

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

windows 10 1507,
windows 10 1607,
windows 10 1809,
windows 10 21h2,
windows 10 22h2,
windows 11 21h2,
windows 11 22h2,
windows 11 23h2,
windows server 2008 -,
windows server 2012 r2,
windows server 2016,
windows server 2019,
windows server 2022,
windows server 2022 23h2

Exploited in the Wild

Reported by:

inokii indicated sources as

Vendor Advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/07/09/cisa-adds-three-known-exploited-vulnerabilities-catalog)

Reported: July 10, 2024 3:31am UTC (4 months ago)

remmons-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: July 19, 2024 2:51pm UTC (4 months ago) • Edited 4 months ago

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/07/09/cisa-adds-three-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:30am UTC (2 weeks ago)

References

Canonical

CVE-2024-38112 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38112)

Miscellaneous

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112

Rapid7

Moderate

CVE-2024-38112

Moderate

Low

Required

None

Network

CVE-2024-38112

Description