RenderShock 0-Click Vulnerability Executes Payloads via Background Process Without User Interaction
A sophisticated zero-click attack methodology called RenderShock that exploits passive file preview and indexing behaviors in modern operating systems to execute malicious payloads without requiring any user interaction.
Unlike traditional phishing campaigns that rely on users clicking malicious links or opening infected attachments, RenderShock leverages built-in system automation features to achieve compromise through legitimate background processes.
Key Takeaways
1. RenderShock attacks exploit file preview systems without requiring user interaction.
2. Affects Windows Explorer, macOS Quick Look, and automatic file indexing services.
3. Uses malicious LNK files, PDFs, and Office documents to trigger NTLM theft and code execution.
4. Enables credential harvesting and remote access; requires disabling preview panes and blocking SMB traffic.
RenderShock 0-Click Vulnerability
CYFIRMA reports that RenderShock targets multiple passive execution surfaces that automatically engage with file content without explicit user action.
The vulnerability affects Windows Explorer Preview Pane, macOS Quick Look, email client preview systems, and file indexing services, including Windows Search Indexer and Spotlight.
These systems process files in memory, often invoking registered preview handlers that can trigger malicious code execution.
The attack methodology exploits preview subsystems by embedding malicious logic in document metadata, utilizing UNC paths for NTLM credential harvesting, and leveraging Office macro execution during preview rendering.
For example, a crafted PDF with external references can trigger outbound SMB connections when processed by preview handlers, potentially leaking NTLMv2 hashes to attacker-controlled servers.
RenderShock employs both foundational and advanced payload techniques. Foundational payloads include malicious LNK files with UNC icon paths that cause Windows Explorer to initiate NTLM authentication when browsing folders, and RTF files containing INCLUDEPICTURE field injections that fetch remote resources during preview.
Advanced techniques involve polyglot file formats that confuse multiple parsers, remote template injection in Office documents without macros, and poisoned ICC color profiles in images.
A typical attack chain involves creating a malicious .lnk file with a remote icon path (\attacker-ipicon.ico), embedding it in a ZIP archive, and delivering it through helpdesk portals or shared directories.
When users preview the ZIP contents, Windows automatically attempts to load the remote icon, triggering SMB authentication requests that can be intercepted using tools like Responder:
Mitigations
The vulnerability enables multiple attack vectors, including reconnaissance through passive beacons, credential theft via NTLMv2 harvesting, and remote code execution through preview-based macro execution.
Attackers can achieve persistence by placing malicious .desktop files or LaunchAgents in trusted autostart directories, and perform lateral movement using harvested credentials.
Security teams should implement comprehensive defenses, including disabling preview panes in Windows Explorer and Quick Look on macOS, blocking outbound SMB traffic (TCP 445) to untrusted networks, and enforcing macro blocking through Group Policy.
Organizations must also deploy behavioral monitoring to detect unusual network activity from preview-related processes like explorer.exe, searchindexer.exe, and quicklookd.
The RenderShock framework demonstrates that modern computing environments’ emphasis on user convenience creates silent execution paths that require no interaction, fundamentally challenging traditional security assumptions about file-based attacks and necessitating a reevaluation of how systems handle passive file processing.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
