Skip to main content
Purpleshift
  1. Active Vulnerability List/
  2. 2024/

CVE-2024-38112| MSHTML | RCE

VulnerabilityCVE-2024-38112
TypeMSHTML Platform Spoofing Vulnerability
DescriptionThe vulnerability occurs when a file is named with non-printable arbitrary characters to hide its extension. The APT employs various tactics to deceive victims into clicking and running an HTA file, including:
  • Hiding the .hta file extension.
  • Using a misleading icon, such as a PDF icon, for a .url file.
  • Utilizing the mshtml protocol to launch Internet Explorer, which is deprecated on Windows 10 and 11, instead of Microsoft Edge.
The Impact of the BugExploiting this vulnerability can lead to Remote Code Execution when the victim is tricked into clicking and running an HTA file. This attack can be combined with other vulnerabilities in Internet Explorer, which is now out of support and retired.
How to detect if you have a vulnerable application to this attack vector?several ways :
  • Process Monitoring:
    • Look for iexplore.exe and mshta.exe running under svchost DcomLaunch services.
  • File Analysis:
    • Inspect URL files for mshtml and x-usc directives.
  • Browser Artifacts:
    • Check Internet Explorer’s visit history and cache for HTA files.
  • Event Logs:
    • Monitor Windows Event ID 28117 in Microsoft-Windows-Shell-Core for full URLs encoded in .url files.
  • Execution Artifacts:
    • Look for execution traces of mshta.exe and iexplore.exe.
Referenceshttps://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/
https://www.trendmicro.com/en_us/research/24/g/cve-2024-38112-void-banshee.html
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112