CVE-2021-43844 (GCVE-0-2021-43844)
Vulnerability from cvelistv5
Published
2021-12-20 21:20
Modified
2024-08-04 04:10
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Summary
MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages.
References
Impacted products
Vendor Product Version
rcmaehl MSEdgeRedirect Version: < 0.5.0.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:10:16.980Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MSEdgeRedirect",
          "vendor": "rcmaehl",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user\u0027s default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-610",
              "description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-20T21:20:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"
        }
      ],
      "source": {
        "advisory": "GHSA-95v4-748v-fmf9",
        "discovery": "UNKNOWN"
      },
      "title": "Externally Controlled Reference to a Resource in Another Sphere in MSEdgeRedirect",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-43844",
          "STATE": "PUBLIC",
          "TITLE": "Externally Controlled Reference to a Resource in Another Sphere in MSEdgeRedirect"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MSEdgeRedirect",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.5.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "rcmaehl"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user\u0027s default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9",
              "refsource": "CONFIRM",
              "url": "https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9"
            },
            {
              "name": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1",
              "refsource": "MISC",
              "url": "https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-95v4-748v-fmf9",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-43844",
    "datePublished": "2021-12-20T21:20:11",
    "dateReserved": "2021-11-16T00:00:00",
    "dateUpdated": "2024-08-04T04:10:16.980Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-43844\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-12-20T22:15:07.883\",\"lastModified\":\"2024-11-21T06:29:54.907\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user\u0027s default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages.\"},{\"lang\":\"es\",\"value\":\"MSEdgeRedirect es una herramienta para redirigir las noticias, la b\u00fasqueda, los widgets, el tiempo, etc. al navegador predeterminado del usuario. MSEdgeRedirect versiones anteriores a 0.5.0.1 son vulnerables a una ejecuci\u00f3n de c\u00f3digo remota por medio de URLs espec\u00edficamente dise\u00f1adas. Esta vulnerabilidad requiere una interacci\u00f3n del usuario y la aceptaci\u00f3n de una solicitud. Con la forma en que est\u00e1 codificado MSEdgeRedirect, es imposible pasar par\u00e1metros a cualquier archivo lanzado. Sin embargo, se presentan dos posibles escenarios en los que un atacante puede hacer algo m\u00e1s que una peque\u00f1a molestia. En el escenario 1 (confirmado), un usuario visita una p\u00e1gina web controlada por el atacante; le es pedido al usuario que descargue una carga \u00fatil ejecutable; le es pedido al usuario que acepte el aviso de la URL dise\u00f1ada antes mencionado; y el RCE ejecuta la carga \u00fatil que el usuario descarg\u00f3 previamente, si es adivinada la ruta de descarga. En el escenario 2 (a\u00fan no confirmado), un usuario visita una p\u00e1gina web controlada por el atacante; le es pedido al usuario que acepte la solicitud de URL dise\u00f1ada antes mencionada; y es ejecutado una carga \u00fatil en un servidor SMB remoto controlado por el atacante. El problema es encontrado en la funci\u00f3n _DecodeAndRun(), en la que asum\u00ed incorrectamente que _WinAPI_UrlIs() s\u00f3lo aceptaba recursos web. Desafortunadamente, file:/// pasa la comprobaci\u00f3n _WinAPI_UrlIs() por defecto. Ahora son comprobados directamente las rutas de los archivos y deben fallar. Actualmente no es conocido ninguna explotaci\u00f3n de esta vulnerabilidad \\\"in the wild\\\". Ha sido publicado una versi\u00f3n parcheada, 0.5.0.1, que comprueba y rechaza estas URLs dise\u00f1adas. No se presentan soluciones para este problema. Se aconseja a usuarios que no acepten ninguna petici\u00f3n no esperada de las p\u00e1ginas web\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-610\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:msedgeredirect_project:msedgeredirect:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.5.0.1\",\"matchCriteriaId\":\"BEFA729C-F38A-409D-9A03-B87DB276F497\"}]}]}],\"references\":[{\"url\":\"https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rcmaehl/MSEdgeRedirect/releases/tag/0.5.0.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rcmaehl/MSEdgeRedirect/security/advisories/GHSA-95v4-748v-fmf9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.