CVE CyberSecurity Database News

CVE-2024-21351 - Breaking Down the Windows SmartScreen Security Feature Bypass Vulnerability

Poster -

In early 2024, security researchers discovered a critical vulnerability affecting millions of Windows users: CVE-2024-21351. This security flaw lets attackers bypass the SmartScreen protection in Windows, which is meant to warn users about potentially harmful downloads. In this post, we'll break down what this vulnerability is, how it works, and even walk through a simple proof-of-concept to help understand the risk. We'll also provide resources where you can dig deeper.

What Is Windows SmartScreen?

Windows SmartScreen is a security feature built into Windows that checks downloaded files and applications against a list of reported malicious software. It pops up a warning if a file or download is considered risky. But what if this warning can be bypassed?

Why Does It Matter?

Without SmartScreen working correctly, users can be tricked into running malware, ransomware, or other attacks without any warning. This is especially dangerous in phishing attacks, where tricking people into opening malicious attachments is the goal.

How Does the Exploit Work?

Attackers can craft files (usually in special formats like .url, .lnk, or .internetshortcut), that, when opened, do not trigger a SmartScreen warning as they should. The core problem is a flaw in how SmartScreen processes certain shortcut files containing unusual or "specially-crafted" data. When a user opens (or is tricked into opening) one of these files, SmartScreen is bypassed, allowing malicious code to run unnoticed.

The vulnerability mainly affects files downloaded from the web or received as email attachments, which should trigger a "Windows protected your PC" dialog—but instead, it runs quietly.

Exploitation Example

Let's see how a simple .internetshortcut file can be used for this bypass.

Proof-of-Concept (PoC) Code

[InternetShortcut]
URL=file:///C:/Windows/System32/calc.exe
IDList=
HotKey=
IconFile=calc.exe
IconIndex=

How it Works:

The shortcut above should trigger SmartScreen, warning the user when they try to open it.

- By manipulating the shortcut (for example, by modifying alternate data streams or specific fields in the file), an attacker can prevent the SmartScreen dialog from appearing.

Example with Alternate Data Stream using PowerShell

# Create a malicious .url file
echo "[InternetShortcut]`nURL=file:///C:/Windows/System32/calc.exe" > payload.url

# Add a Zone.Identifier ADS to mark it as downloaded from the internet
echo "[ZoneTransfer]`nZoneId=3" > payload.url:Zone.Identifier

Normally, this triggers SmartScreen. But by manipulating the file's content or metadata in certain ways (details omitted for safety), the attacker can make the bypass work.

Step 1: Attacker sends "innocent-looking" shortcut file (.url or .lnk) via email or chat.

- Step 2: User downloads the file to their computer. Because of the special crafted content, SmartScreen alert does NOT show.
- Step 3: User opens the file, and the attacker's payload (e.g., a script or malware) runs without warning.

Microsoft CVE Page:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21351

Exploit Details and Technical Advisory:

- https://attackerkb.com/topics/88xy2Q5FC7/cve-2024-21351
- https://www.bleepingcomputer.com/news/security/microsoft-patch-tuesday-february-2024-fixes-73-flaws-two-zero-days/

Exploit Proof-of-Concept (GitHub):

- https://github.com/kaelSecurity/CVE-2024-21351

Final Thoughts

CVE-2024-21351 is a big deal—it weakens a primary defense in Windows. Attackers are always looking for ways around defenses; this vulnerability provides a powerful shortcut. With awareness and prompt patching, you can stay safer. But this is another reminder that even built-in security tools can fail if not updated.

Timeline

Published on: 02/13/2024 18:15:51 UTC
Last modified on: 02/15/2024 02:00:01 UTC