CVE-2021-43844 - Vulnerability Details

Vendors	Products
Msedgeredirect Project	Msedgeredirect

Source	ID	Title
EUVD	EUVD-2021-30715	MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages.

Link	Providers
https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1
https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9

{"containers": {"cna": {"affected": [{"product": "MSEdgeRedirect", "vendor": "rcmaehl", "versions": [{"status": "affected", "version": "< 0.5.0.1"}]}], "descriptions": [{"lang": "en", "value": "MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-610", "description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-20T21:20:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"}], "source": {"advisory": "GHSA-95v4-748v-fmf9", "discovery": "UNKNOWN"}, "title": "Externally Controlled Reference to a Resource in Another Sphere in MSEdgeRedirect", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43844", "STATE": "PUBLIC", "TITLE": "Externally Controlled Reference to a Resource in Another Sphere in MSEdgeRedirect"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MSEdgeRedirect", "version": {"version_data": [{"version_value": "< 0.5.0.1"}]}}]}, "vendor_name": "rcmaehl"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9", "refsource": "CONFIRM", "url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"}, {"name": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1", "refsource": "MISC", "url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"}]}, "source": {"advisory": "GHSA-95v4-748v-fmf9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:10:16.980Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43844", "datePublished": "2021-12-20T21:20:11", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:10:16.980Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:msedgeredirect_project:msedgeredirect:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEFA729C-F38A-409D-9A03-B87DB276F497", "versionEndExcluding": "0.5.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages."}, {"lang": "es", "value": "MSEdgeRedirect es una herramienta para redirigir las noticias, la b\u00fasqueda, los widgets, el tiempo, etc. al navegador predeterminado del usuario. MSEdgeRedirect versiones anteriores a 0.5.0.1 son vulnerables a una ejecuci\u00f3n de c\u00f3digo remota por medio de URLs espec\u00edficamente dise\u00f1adas. Esta vulnerabilidad requiere una interacci\u00f3n del usuario y la aceptaci\u00f3n de una solicitud. Con la forma en que est\u00e1 codificado MSEdgeRedirect, es imposible pasar par\u00e1metros a cualquier archivo lanzado. Sin embargo, se presentan dos posibles escenarios en los que un atacante puede hacer algo m\u00e1s que una peque\u00f1a molestia. En el escenario 1 (confirmado), un usuario visita una p\u00e1gina web controlada por el atacante; le es pedido al usuario que descargue una carga \u00fatil ejecutable; le es pedido al usuario que acepte el aviso de la URL dise\u00f1ada antes mencionado; y el RCE ejecuta la carga \u00fatil que el usuario descarg\u00f3 previamente, si es adivinada la ruta de descarga. En el escenario 2 (a\u00fan no confirmado), un usuario visita una p\u00e1gina web controlada por el atacante; le es pedido al usuario que acepte la solicitud de URL dise\u00f1ada antes mencionada; y es ejecutado una carga \u00fatil en un servidor SMB remoto controlado por el atacante. El problema es encontrado en la funci\u00f3n _DecodeAndRun(), en la que asum\u00ed incorrectamente que _WinAPI_UrlIs() s\u00f3lo aceptaba recursos web. Desafortunadamente, file:/// pasa la comprobaci\u00f3n _WinAPI_UrlIs() por defecto. Ahora son comprobados directamente las rutas de los archivos y deben fallar. Actualmente no es conocido ninguna explotaci\u00f3n de esta vulnerabilidad \"in the wild\". Ha sido publicado una versi\u00f3n parcheada, 0.5.0.1, que comprueba y rechaza estas URLs dise\u00f1adas. No se presentan soluciones para este problema. Se aconseja a usuarios que no acepten ninguna petici\u00f3n no esperada de las p\u00e1ginas web"}], "id": "CVE-2021-43844", "lastModified": "2024-11-21T06:29:54.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-12-20T22:15:07.883", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-610"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object