Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
gcr 6 hours ago

What does “unverified protocols” mean? Does Windows have an exe:// url scheme that fetches and runs executable binaries or something?

gruez 6 hours ago | parent [-]

Yes? ShellExecute opens a url if you pass in a url, opens a file if you pass in a path, and runs an .exe if that file is an .exe. Windows also supports SMB paths, so combine that together and you have a RCE

eugenekolo 5 hours ago | parent [-]

But is it running ShellExecute on URIs?

electroly 5 hours ago | parent [-]

I believe it is. Just tested it. You can make the link "C:\windows\system32\cmd.exe" and clicking it will launch the Command Prompt. I noticed you can't make it "C:\windows\system32\cmd.exe /c some-nefarious-thing"; it doesn't like the space. Exploiting may require you to ship both the malicious EXE and the MD, then trick the user into clicking the link inside the MD. But then you could have just tricked them into directly clicking the EXE.

gruez 4 hours ago | parent | next [-]

>Exploiting may require you to ship both the malicious EXE and the MD, then trick the user into clicking the link inside the MD. But then you could have just tricked them into directly clicking the EXE.

1. You can use UNC paths to access remote servers via SMB

2. Even if it's local, it's still more useful than you make it out to be. For instance, suppose you downloaded a .zip file of some github project. The .zip file contains virus.exe buried in some subfolder, and there's a README.md at the root. You open the README.md and see a link (eg. "this project requires [some-other-project](subfolder\virus.exe)". You click on that and virus.exe gets executed.

jkrejcha 2 hours ago | parent | next [-]

> 1. You can use UNC paths to access remote servers via SMB

Relevant article from The Old New Thing: https://devblogs.microsoft.com/oldnewthing/20060509-30/?p=31...

Programs (this is true for most mainstream operating systems) can become network facing without realizing it. I've sometimes found a bunch of Windows programs sometimes tends to assume that I/O completes "instantly" (even if async I/O has been common on Windows for a very long time) and don't have a good UX for cancelling long running I/O operations

electroly an hour ago | parent | prev [-]

Definitely; I didn't mean to underplay it. Here's a fun one:

    [Free AI credits](C:\windows\system32\logoff.exe)
It works. This is a real exploit that you could do things with.
thwarted 3 hours ago | parent | prev [-]

What if the space is url encoded %20 ?

Zenul_Abidin 26 minutes ago | parent [-]

That wouldn't work because Windows doesn't understand url-encoded sequences.