CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections
Zero Day Initiative threat researchers discovered CVE-2024-38213, a simple and effective way to bypass Windows mark-of-the-web protections leading to remote code execution.
In March 2024, Trend Micro’s Zero Day Initiative Threat Hunting team started analyzing samples connected to the activity carried out by DarkGate operators to infect users through copy-and-paste operations. This DarkGate campaign was an update from a previous campaign in which the DarkGate operators were exploiting a zero-day vulnerability, CVE-2024-21412, which we disclosed to Microsoft earlier this year.
The investigation into this campaign directly influenced further vulnerability research into Windows Defender SmartScreen and how files originating from WebDAV shares are handled during copy-and-paste operations. As a result, we discovered and reported CVE-2024-38213 to Microsoft, which they patched in June. This exploit, which we've named copy2pwn, results in a file from a WebDAV share being copied locally without Mark-of-the-Web protections.
What is Web-based Distributed Authoring and Versioning (WebDAV)?Web-based Distributed Authoring and Versioning (WebDAV) is an extension to the Hypertext Transfer Protocol (HTTP). It provides added functionality to HTTP, including features such as authoring, sharing, and versioning.
Since WebDAV is based on HTTP, WebDAV shares can be accessed through a web browser using the HTTP protocol, for example, at http://10.37.129.2/example_webdav_folder/somefile. When a file is downloaded from a WebDAV share using a browser such as Microsoft Edge or Google Chrome, it is treated the same as any other file downloaded from the web. As expected, the local copy of the file is marked with the Mark-of-the-Web.
On Windows, users can also access and mount WebDAV shares via UNC paths, such as \\10.37.129.2@80\example_webdav_folder. A user can browse to a path of this form using Windows Explorer. This functions in a similar manner to accessing SMB shares through Windows. When accessing files in this manner, they are handled directly by the Windows operating system and not by the browser.
Threat Actors and WebDAV SharesRecently, we’ve seen an increase in threat actors hosting payloads on WebDAV shares. This activity has led to the discovery of numerous vulnerabilities abused as zero-days clustered around accessing malicious payloads from WebDAV shares. These include vulnerabilities such as CVE-2023-36025 and, more recently, CVE-2024-21412, with an additional fix from Microsoft in the form of CVE-2024-29988. These vulnerabilities center around Mark-of-the-Web bypasses and evading built-in Microsoft protections such as Windows Defender SmartScreen.
As mentioned, WebDAV shares accessed through Windows Explorer are handled by the Windows operating system as opposed to a browser. Many threat actors are aware of the implications of this with regard to Mark-of-the-Web. During our threat-hunting investigations, we uncovered many threat actors deploying an easy method utilizing the Windows search protocol to open WebDAV searches through Windows Explorer.
Figure 1 – Search query logic that opens a WebDAV share through Windows Explorer
When accessed with a web browser, this prompts the user to open the WebDAV share in Windows Explorer.
Figure 2 – Microsoft Edge prompts users to open the WebDAV share in Windows Explorer
Using the logic from Figure 1, threat actors can exercise a high degree of control over what the end user sees on the WebDAV share. This is done by crafting a specific Windows search query that only displays those files the threat actor wants the user to see. Furthermore, by utilizing certain file types such as Internet Shortcut (.url) or Shortcut (.lnk), the threat actor may change the file icon to make it appear as if the malicious file is a completely different type. This lures the user into inadvertently executing scripts or binaries.
Figure 3 – The Windows Explorer window is crafted to only display poc.lnk.zip
Under normal circumstances, files served over WebDAV would receive the Mark-of-the-Web and Windows Defender SmartScreen protections. However, there are a cluster of vulnerabilities mentioned above, and possibly more, that can be used for evasion.
The Importance of Mark-of-the-Web (MotW) ProtectionsWhen a user downloads a file from an untrusted source such as the web, Windows adds the Mark-of-the-Web to the local copy of the file. The Mark-of-the-Web consists of an NTFS Alternate Data Stream (ADS) with the name Zone.Identifier. Within this stream is the text ZoneId=3, indicating that the file originated from an untrusted source.
Figure 4 – ZoneId=3 is applied to files that originate from an untrusted source
The presence of the Mark-of-the-Web triggers additional security checks and prompts when opening the file. This helps reduce the risk of executing untrusted content.
Figure 5 – A security prompt shown due to the presence of the Mark-of-the-Web
The Mark-of-the-Web is also needed for the functioning of other key protection mechanisms:
· Windows Defender SmartScreen, which examines files based on reputation and signature
· Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
Figure 6 – A Windows Defender SmartScreen prompt
Unfortunately, threat actors have discovered that Windows does not always handle or properly apply the Mark-of-the-Web to files served over WebDAV. Historically, Windows has treated WebDAV shares more akin to SMB shares, as opposed to HTTP web servers. This can be quite dangerous.
Bypassing Mark-of-the-Web Protections with CVE-2024-38213Before the release of the Microsoft June security patch, files copied and pasted from WebDAV shares did not receive the Mark-of-the-Web designations. This meant that users might copy and paste files from a WebDAV share to their desktop, and those files could subsequently be opened without the protections of Windows Defender SmartScreen or Microsoft Office Protected View. In particular, this means that there would be no reputation or signature checks on executables.
Copy and paste operations are ubiquitous so Windows users need to ensure that they are fully protected from clipboard hijacking, pastejacking , and copy2pwn attacks, especially in light of recent threat actor activity leveraging WebDAV shares for payload deployment.
ConclusionThe Zero Day Initiative Threat Hunting Team constantly monitors for new and emerging zero-day threats. During our analysis of existing and previous threat actors and APT activities, we often discover new tactics, techniques, procedures, and hidden zero-day vulnerabilities.
This case emphasizes the integration of ZDI threat hunting with proactive vulnerability research within the ZDI program. By combining threat research with the Zero Day Initiative's core vulnerability research program, the ZDI Threat Hunting Team can develop new adversarial models and simulate new attack strategies as they might occur in the real world. This integration enables us to protect and defend customers from potentially hidden attack methods and chains before threat actors can incorporate them into their attack strategies.
We’ll be back with more findings as we have them. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.