I think the key here prob. is the attack vector - MSRC prob. think “double-clicking on a non-MOTW local mht file” isn’t a valid vector, as there maybe bigger/known problems if you open non-MOTW mht file locally with IE.https://twitter.com/wdormann/status/1116691419673047042 …
-
Show this thread
-
Replying to @HaifeiLi
I'd have to double check, but I don't recall the MoTW coming in to play when I reproduced it.
1 reply 0 retweets 1 like -
Yeah, the MoTW doesn't matter. ZoneID=3 means "internet zone" And perhaps not-surprisingly, IE will open web pages from the internet zone without prompting.pic.twitter.com/J5heQgZzhX
1 reply 0 retweets 1 like -
Replying to @wdormann
Okay, that's weird.. I just got a test (didn't actually test yesterday). The weird thing is that I found that on Windows 10 the MoTW is a NOT vector (same as ur test), but on Windows 7 it is - if MoTW, then only the datatears.xml will be downloaded but no system.ini leaking.
2 replies 0 retweets 1 like -
Replying to @HaifeiLi
Yes, with Windows 7 and Windows 8, the MoTW appears to prevent the data from being sent to the attacker. With Windows 10, the MoTW makes no difference. Conclusion: In this particular case, Windows 10 is worse off than prior versions of Windows.
1 reply 0 retweets 1 like -
Replying to @wdormann
Hmmm, wait.. even more weird.. I just tested on another one of my Windows 10 box, the MoTW is a vector on that machine - no system.ini leak only datatears.xml access... It seems that the conclusion is still far to be made.
1 reply 0 retweets 0 likes -
Guys, I may be able to clear this up a little. It seems that Edge puts two additional ACL entries to the saved file, both with undocumented SIDs, one of which prevents Low Integrity processes from accessing the file. I guess some undocumented feature...
2 replies 1 retweet 3 likes -
Indeed! The ACLs for the Edge-downloaded MHT file do have extra SIDs listed. If the same file is downloaded with IE, Chrome, or Firefox, there are no strange SIDs, and the MHT exploit won't exfiltrate text files. Hmmm...pic.twitter.com/Te3ksK0x4q
2 replies 0 retweets 2 likes -
Now remove the S-1-15-2 ACL and see that the exploit stops working :)
1 reply 0 retweets 0 likes
Important question: Are there programs other than IE that run with low integrity on Windows? It would any such application will not benefit from any MoTW marking.
-
-
I suppose many sandboxes processes are low integrity but I suspect they don't share IE's flawed error checking on reading MOTW.
1 reply 0 retweets 0 likes -
Generally, matching IE's MOTW handling is considered the gold standard. Failing to do so creates bugs.
1 reply 0 retweets 1 like - 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.