Microsoft SmartScreen Exploited again !!
SmartScreen, a crucial feature of Windows that warns users about potentially malicious downloads, has been exploited again by attackers. The vulnerability in question is CVE-2022-44698, which allows attackers to bypass the security warning by providing a JScript file with a malformed signature.
Microsoft has already patched this vulnerability, but the attackers found a new bypass in CVE-2023-24880 that exploits a different part of the code. In this blog, we will take a detailed look at both vulnerabilities and explore their root cause and bypass mechanisms.
CVE-2022-44698 - Root Cause Analysis:
The root cause of CVE-2022-44698 is an error in the function windows::security::signature_info::retrieve
of smartscreen.exe. This function retrieves information about the digital signature of a file, including the signer certificate.
It calls WTGetSignatureInfo in wintrust.dll to retrieve a CERT_CONTEXT structure pointer cert_context and a HANDLE wvt_state_data. Next, the function calls WTHelperProvDataFromStateData on wvt_state_data, which returns a CRYPT_PROVIDER_DATA structure pointer crypt_provider_data. An error is raised if crypt_provider_data and its member hMsg are non-NULL, but cert_context is NULL.
Bypass
The attackers exploited this error by providing an Authenticode signature with a signer certificate serial number that cannot be found among the SignedData certificates.
This leads to wintrust.dll not being able to find the certificate for the signer, in which case WTGetSignatureInfo will return a NULL value for cert_context, triggering the error.
Microsoft patched CVE-2022-44698 by not raising an error in this specific case, but rather taking an alternative path. However, this patch is not foolproof, as attackers found a way to return an error to shdocvw.dll, which will fail open and not display a security warning.
CVE-2023-24880 - Root Cause Analysis
CVE-2023-24880 is another error in smartscreen.exe. Specifically, in the functionwindows::security::authenticode_information::create
, which is called bywindows::security::signature_info::retrieve
.
It checks if crypt_provider_data->pPDSip->psIndirectData
is non-NULL. If not, it calls THROW_HR, which will return an error to shdocvw.dll.
Bypass
The attackers exploited the same flaw in the code that was left open by the patch for CVE-2022-44698. They used a signature that leads to a valid cert_context.
In this case, the previous patch is not applicable. They corrupted the ASN1 numerical identifier (NID) of the SPC_INDIRECT_DATA_OBJID to obtain a NULL crypt_provider_data->pPDSip->psIndirectData
, triggering the error.
Uncovering the SmartScreen Bypass: How Attackers Exploit CVE-2022-44698 and CVE-2023-24880
Uncovering the SmartScreen Bypass To bypass SmartScreen, attackers create a JScript file with a malformed signature that triggers an error in the SmartScreen request. The JScript file is then executed on the victim's machine. When the SmartScreen request returns an error, it triggers the behavior described in the vulnerability, bypassing the security warning.
The attacker creates a JScript file with a malformed signature that triggers an error in the SmartScreen request.
The JScript file is then executed on the victim's machine.
When the SmartScreen request returns an error, it triggers the behavior described in the vulnerability, bypassing the security warning.
The error is raised while parsing the file's signature in the windows::security::signature_info::retrieve
function of smartscreen.exe.
This function callsWTGetSignatureInfo
in wintrust.dll to retrieve aCERT_CONTEXT
structure pointer and aHANDLE wvt_state_data
. For a well-formed signature, theCERT_CONTEXT
points to the signer certificate.
The function then callsWTHelperProvDataFromStateData
onwvt_state_data
, which returns aCRYPT_PROVIDER_DATA
structure pointer. Ifcrypt_provider_data
and its memberhMsg
are non-NULL, butCERT_CONTEXT
is NULL, anE_INVALIDARG
error is raised.
The attackers create an Authenticode signature where theSignerInfo
certificate serial number cannot be found among theSignedData
certificates, leading to wintrust.dll not being able to find the certificate for the signer. This results inWTGetSignatureInfo
returning a NULL value forCERT_CONTEXT
.
Microsoft patched CVE-2022-44698 in smartscreen.exe, but the new patch is also vulnerable. The patch doesn't raise an error in the specific case mentioned in CVE-2022-44698 but takes an alternative path, which attackers can use to exploit other potential errors.
In the new bypass, the signature leads to a validCERT_CONTEXT
, so the CVE-2022-44698 patch is not applicable.windows::security::signature_info::retrieve
callswindows::security::authenticode_information::create
, which checks ifcrypt_provider_data->pPDSip->psIndirectData
is non-NULL. If not, it callsTHROW_HR
, which returns an error toshdocvw.dll
.
To obtain a NULLcrypt_provider_data->pPDSip->psIndirectData
, the attackers corrupt the ASN1 numerical identifier (NID) of theSPC_INDIRECT_DATA_OBJID
, an Authenticode specific Object Identifier (OID) that contains, for example, the message digest of the signed file.
The exploit results in a bypass of the security warning, which could potentially allow the attackers to execute malicious code on the victim's machine.
It seems that detecting the CVE-2022-44698 vulnerability early on would be challenging, as it involves a highly specific and complex set of circumstances.
However, one possible approach to detecting such vulnerabilities early on could be to use anomaly detection techniques to identify abnormal behavior patterns in the code. This could involve scrutiny and monitoring the application for any unusual behaviors or error messages that occur during the signature verification process. Any unexpected behavior, such as an error occurring when parsing the file's signature, could be flagged as potentially suspicious and investigated further.
Regular code audits and security assessments to identify any vulnerabilities or weaknesses in the application. This could involve analyzing the code for any potential issues related to signature verification, as well as reviewing the application's security features and policies.
To develop more robust and secure methods for signature verification that are less vulnerable to attacks such as the CVE-2022-44698 bypass. This could involve implementing additional checks and validation procedures to ensure that the signature is valid and has not been tampered with.
Overall, detecting vulnerabilities such as CVE-2022-44698 requires a combination of proactive monitoring, thorough code analysis, and ongoing security assessments. By implementing these measures, organizations can help reduce the risk of such vulnerabilities being exploited and improve the overall security of their systems.
Conclusion
The vulnerabilities in smartscreen.exe are serious and could allow attackers to bypass the security warning and run potentially malicious downloads. Microsoft has patched CVE-2022-44698, but the new bypass in CVE-2023-24880 shows that the code still has flaws that can be exploited in future !!