An elevation of privilege vulnerability was discovered in Microsoft virtual assistant ‘Cortana’. The issue arises due to a behavior glitch in Cortana. Upon successful exploitation an attacker can gain elevated command execution. The attacker would need physical access to the target machine to perform the attack. Microsoft has addressed this vulnerability in patches released in June 2018. CVE-2018-8140 has been assigned to track this vulnerability.
Vulnerability and Exploitation
As mentioned earlier the issue arises due a behavior glitch in Cortana when it obtains user-inputs with out considering status. Cortana accepts voice commands from the user and displays results or performs the voice commands. Searching for system resources is a much used functionality, the search results for files and applications are populated based on indexing. On a locked machine an attacker can invoke the contextual Windows menu by typing while Cortana starts to listen to a user voice query/command. Using this menu window attacker can search for an executable and run it. This action is limited by UAC.
The search results by Cortana are not all the same they are classified when they are displayed for eg a power shell script file will have ‘Open …’ option when categorized under Documents, the same file will have ‘Run …’ option when it is listed under recent documents. Which means all the attacker needs to do is open the script file in notepad, close it and search for it and it will be listed under recent files and execute the script by right-click option ‘Run….’. The issue with UAC still exists, power shell commands can be used to disable these security measures and attacker can continue with executing their desired scripts that can reset password, run commands etc.
For the exploit to succeed the files required by the attacker need to be indexed properly. To achieve this attacker can copy the file in a shared folder that is enabled for indexing or use a USB drive. A demo of this attack can be viewed here. CVE-2018-8140 combines 3 separate issues.
- The file result listed by Cortana can reveal the contents of the file.
- The classified results listed by Cortana can be used to execute scripts or execute application on a locked machine
- Logging in to locked machine by resetting the password using the above mentioned loopholes.
We request organization to apply the latest patches from Microsoft to address this vulnerability. Qualys customers can scan their network with QID: 91452 to detect vulnerable machines.
Please continue to follow Qualys Threat Protection for more information on vulnerabilities.