Security experts recently uncovered a vulnerability, CVE-2024-38213, that allows threat actors to bypass Windows’ Mark-of-the-Web (MotW) protections through copy-and-paste operations.
This vulnerability, dubbed “copy2pwn,” highlights the ongoing efforts of cybercriminals to exploit weaknesses in Windows security features and the importance of proactive vulnerability research.
Threat of WebDAV Shares
Web-based Distributed Authoring and Versioning (WebDAV) is an extension to the Hypertext Transfer Protocol (HTTP) that provides added functionality, including file sharing and versioning. While WebDAV shares can be accessed through web browsers, they can also be mounted as Windows Explorer paths, bypassing the typical MotW protections.
Threat actors have increasingly leveraged WebDAV shares to host malicious payloads, taking advantage of vulnerabilities such as CVE-2024-36025 and CVE-2024-21412 to evade built-in Microsoft protections like Windows Defender SmartScreen. By crafting specific Windows search queries, attackers can control the files displayed in the WebDAV share, potentially disguising malicious files as harmless ones.
The Mark-of-the-Web is a crucial security feature in Windows that applies an NTFS Alternate Data Stream (ADS) to files downloaded from the internet. This triggers additional security checks and prompts, reducing the risk of executing untrusted content.
The MotW is essential for the proper functioning of other protective mechanisms, such as Windows Defender SmartScreen and Microsoft Office Protected View. Without the MotW, these safeguards are rendered ineffective, leaving users vulnerable to malicious content.
Researchers from the Zero Day Initiative (ZDI) Threat Hunting team observed the campaign as an update to a previous campaign where DarkGate operators exploited the zero-day vulnerability, CVE-2024-21412, that had been disclosed to Microsoft by researchers.
Copy2Pwn Bypasses MotW Protections
Before the release of Microsoft’s June 2024 security patch, files copied and pasted from WebDAV shares did not receive the MotW designation. This meant that users could unknowingly copy and paste files from a WebDAV share to their desktop, and those files could be opened without the protections of Windows Defender SmartScreen or Microsoft Office Protected View.
Researchers observed an increase in threat actors hosting payloads on WebDAV shares. This activity has led to the discovery of numerous vulnerabilities abused as zero-days clustered around accessing malicious payloads from WebDAV shares.
The researchers reported CVE-2024-38213 to Microsoft, which had been identified as a ‘Windows Mark of the Web Security Feature Bypass Vulnerability‘ and patched in June.
To mitigate against similar clipboard hijacking, pastejacking, and copy2pwn attacks, users should be cautious when accessing WebDAV shares and remain vigilant when copying and pasting files from these sources
