This month, Microsoft's“Tuesday patch”coming out, including*MS15-0 0 4patch, repair a could cause elevation of Privilege vulnerabilities (* CVE-2 0 1 5-0 0 1 6)，This is a very rare for IE sandbox vulnerability, Trend Micro researchers about this vulnerability for a detailed analysis.
Vulnerability in With. exe module, With. exe is an ActiveX control, is Microsoft Remote Desktop Services Web Proxy program. First, I use IDA plugin patchdiff2 view patch the modifications, the modification is a function of the CTSWebProxy::StartRemoteDestop it.
I used OleView to load up TSWbPrxy. exe, view CTSWebProxy::StartRemoteDestop definition.
I found StartRemoteDesktop has two parameters, and mstsc. exe related, this mstsc. exe is a Remote Desktop program.
bstrMstsc: mstsc. exe file path bstrArguments: mstsc. exe parameters