Something we found that was interesting was the ability to open windows media player and have it stream audio from the internet using where it would again just automatically open and connect without prompting the victim.
Calculator calculator://a or Mail mailto://a, browsers using FTP FTP://127.0.0.1 or Chrome using chrome://a among many others. Some of the most interesting being: all of the ms-office applications ms-word://a, basic windows applications eg. We soon discovered that you could make all sorts of local programs open. If the URI was requesting something that wasn’t installed on the host system it would display the below message. From there we began enumerating which of the URI’s we could execute and which fail. Styx and I then began researching into URIs and the types of requests we could make. This would be interpreted by Discord as a link and when clicked would cause the calculator application to execute and open on the local machine. It would enable us to call local applications. So when Discord is passed a URI like below “ We were informed by a third party that the discord client will accept URI schemes as links if you put it in įor more information check out Shay’s work on different methods of URI abuse in Discord here To guarantee uniformity, all URIs follow a predefined set of syntax rules, but also maintain extensibility through a separately defined hierarchical naming scheme (e.g. What is Uniform Resource Identifier (URI)?Ī Uniform Resource Identifier (URI) is a string of characters that unambiguously identifies a particular resource. We then took this flaw and used it to pivot through MS-Word macros to start a reverse TCP shell automatically from the discord client.
We discovered a vulnerability within the Discord client that enabled an attacker to call local programs on a target system.
Myself and a fellow researcher: Styx were the leads on this research and we were backed up by CyberSecStu, and 5w0rdFish from The Many Hats Club.
0 kommentar(er)
