A persistent vulnerability in Windows’ Narrator accessibility tool has been identified, allowing attackers to exploit DLL hijacking techniques for stealthy code execution, system persistence, and lateral movement. This flaw, initially reported in 2013, remains present in modern Windows 10 and 11 versions.
Exploitation of Narrator’s DLL Loading Mechanism
The vulnerability centers on how Narrator.exe loads the `MSTTSLocOneCoreEnUS.dll` from the `%windir%\system32\speech_onecore\engines\tts` directory. By replacing this DLL with a malicious version, attackers can execute arbitrary code upon launching Narrator, without the need for any exports. The payload is triggered through the DLL’s `DllMain` function. To avoid detection, attackers can suspend Narrator’s main thread, silencing its voice output and preventing visual cues that might alert users.
Achieving Persistence via Registry Modifications
Attackers can establish persistence by modifying the Windows registry:
– User-Level Persistence: By creating a `REG_SZ` value named configuration set to Narrator under `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility`, the malicious DLL is triggered upon user login. This method requires no elevated privileges beyond initial access, making it effective for maintaining a foothold in user contexts.
– SYSTEM-Level Persistence: Applying the same registry change under `HKLM` allows the malicious DLL to launch at the login screen with elevated privileges.
Facilitating Lateral Movement
The technique can also be used for lateral movement:
1. Remote Registry Access: Attackers with remote registry access can deploy the malicious DLL and modify `HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer` to 0.
2. Triggering Narrator Remotely: By initiating an RDP connection to the target and triggering Narrator via `Ctrl+Win+Enter` at the login screen, the payload executes as SYSTEM before the session closes. This requires quick process migration for sustained access.
Custom Accessibility Tools for Payload Delivery
Attackers can craft custom accessibility tools by exporting and importing registry settings, pointing to arbitrary executables, including UNC network paths for remote payload delivery. Triggering via `ATBroker.exe /start` further enhances flexibility.
Mitigation Recommendations
While no CVE has been assigned to this vulnerability yet, it underscores the risks associated with unpatched legacy behaviors in accessibility features. Organizations are advised to:
– Monitor Registry Changes: Regularly audit and monitor registry changes related to accessibility features.
– Inspect DLL Paths: Ensure the integrity of DLL paths and be vigilant for unauthorized modifications.
– Implement Security Controls: Apply security controls that can detect and prevent unauthorized DLL loading and registry modifications.
By proactively addressing these areas, organizations can mitigate the risks posed by this vulnerability and enhance their overall security posture.
