CVE-2022-44666 (still 0day) is a Microsoft Windows Contacts (wab.exe) vulnerability while parsing “href” attributes into syslink controls, which was originally discovered, reported through ZDI and publicly disclosed by John Page (aka hyp3rlinx) of ApparitionSec long time ago (~ 5 years). Full credits for discovery go to him!
Last summer I started to study this vulnerability, either finding out further vectors to exploit this by using URL protocol handlers such as search-ms and LDAP, or file types accepted for the latest Windows versions (VCF vs Contact files). Thanks to URL protocols, there are more applications which might trigger the vulnerability (Microsoft Office + remote templates aka linked htmlfile OLE objects, web browsers and even PDF Readers).
My best contribution was using LDAP URL protocol which makes the impact a bit higher given that the crafted contact file will be opened without further user interaction for Microsoft Word.
On December 2022, Microsoft decided to release a patch for this vulnerability but unfortunately the fix stays incomplete and was easy to find a variant out by using a single char “@” before the target payload. So this vulnerability still remains as 0day nowadays.
There are some caveats for this vulnerability:
✅ Windows Contacts application (wab.exe) does not verify MoTW flag.
✅ It’s triggerable by URI protocol LDAP.
✅ This file type (.contact) associated by default to Windows Contacts application (wab.exe).
✅ Downloads of these file types (.contact & .vcf) aren’t blocked by browsers, mail servers and so on.
❌ Syslink control click is necessary to trigger the vulnerability (1-click).
❌ The payloads have to already be somehow on the target system, this might imply security warnings, MoTW prompts… What about diagcab files? There are some cons but higher impact occasionally.
❌ Network share paths as “href” attribute are blocked by default.
❌ Full paths as “href” attribute are blocked by default.
Long time ago, 0patch released a micropatch for this issue which has been successfully working with some minor fixes (offsets) in order to cover all the Windows versions, something that, some weeks ago, has already been deployed. It’s the only unofficial fix which actually is full patching the vulnerability right now, waiting for an official patch that hopefully comes soon.
My full write-up can be found in this GitHub repository and John’s post in his website.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.