SmartScreen, a crucial feature of Windows that warns users about potentially malicious downloads, has been exploited again by attackers. The vulnerability in question is CVE-2022-44698, which allows attackers to bypass the security warning by providing a JScript file with a malformed signature.

Microsoft has already patched this vulnerability, but the attackers found a new bypass in CVE-2023-24880 that exploits a different part of the code. In this blog, we will take a detailed look at both vulnerabilities and explore their root cause and bypass mechanisms.

CVE-2022-44698 - Root Cause Analysis:

The root cause of CVE-2022-44698 is an error in the function windows::security::signature_info::retrieve of smartscreen.exe. This function retrieves information about the digital signature of a file, including the signer certificate.

It calls WTGetSignatureInfo in wintrust.dll to retrieve a CERT_CONTEXT structure pointer cert_context and a HANDLE wvt_state_data. Next, the function calls WTHelperProvDataFromStateData on wvt_state_data, which returns a CRYPT_PROVIDER_DATA structure pointer crypt_provider_data. An error is raised if crypt_provider_data and its member hMsg are non-NULL, but cert_context is NULL.

Bypass

The attackers exploited this error by providing an Authenticode signature with a signer certificate serial number that cannot be found among the SignedData certificates.

This leads to wintrust.dll not being able to find the certificate for the signer, in which case WTGetSignatureInfo will return a NULL value for cert_context, triggering the error.

Microsoft patched CVE-2022-44698 by not raising an error in this specific case, but rather taking an alternative path. However, this patch is not foolproof, as attackers found a way to return an error to shdocvw.dll, which will fail open and not display a security warning.

CVE-2023-24880 - Root Cause Analysis

CVE-2023-24880 is another error in smartscreen.exe. Specifically, in the function windows::security::authenticode_information::create, which is called by windows::security::signature_info::retrieve.

It checks if crypt_provider_data->pPDSip->psIndirectData is non-NULL. If not, it calls THROW_HR, which will return an error to shdocvw.dll.

Bypass

The attackers exploited the same flaw in the code that was left open by the patch for CVE-2022-44698. They used a signature that leads to a valid cert_context.

In this case, the previous patch is not applicable. They corrupted the ASN1 numerical identifier (NID) of the SPC_INDIRECT_DATA_OBJID to obtain a NULL crypt_provider_data->pPDSip->psIndirectData, triggering the error.

Uncovering the SmartScreen Bypass: How Attackers Exploit CVE-2022-44698 and CVE-2023-24880

Uncovering the SmartScreen Bypass To bypass SmartScreen, attackers create a JScript file with a malformed signature that triggers an error in the SmartScreen request. The JScript file is then executed on the victim's machine. When the SmartScreen request returns an error, it triggers the behavior described in the vulnerability, bypassing the security warning.

The attacker creates a JScript file with a malformed signature that triggers an error in the SmartScreen request.

The JScript file is then executed on the victim's machine.

When the SmartScreen request returns an error, it triggers the behavior described in the vulnerability, bypassing the security warning.

The error is raised while parsing the file's signature in the windows::security::signature_info::retrieve function of smartscreen.exe.

This function calls WTGetSignatureInfo in wintrust.dll to retrieve a CERT_CONTEXT structure pointer and a HANDLE wvt_state_data. For a well-formed signature, the CERT_CONTEXT points to the signer certificate.

The function then calls WTHelperProvDataFromStateData on wvt_state_data, which returns a CRYPT_PROVIDER_DATA structure pointer. If crypt_provider_data and its member hMsg are non-NULL, but CERT_CONTEXT is NULL, an E_INVALIDARG error is raised.

The attackers create an Authenticode signature where the SignerInfo certificate serial number cannot be found among the SignedData certificates, leading to wintrust.dll not being able to find the certificate for the signer. This results in WTGetSignatureInfo returning a NULL value for CERT_CONTEXT.

Microsoft patched CVE-2022-44698 in smartscreen.exe, but the new patch is also vulnerable. The patch doesn't raise an error in the specific case mentioned in CVE-2022-44698 but takes an alternative path, which attackers can use to exploit other potential errors.

In the new bypass, the signature leads to a valid CERT_CONTEXT, so the CVE-2022-44698 patch is not applicable. windows::security::signature_info::retrieve calls windows::security::authenticode_information::create, which checks if crypt_provider_data->pPDSip->psIndirectData is non-NULL. If not, it calls THROW_HR, which returns an error to shdocvw.dll.

To obtain a NULL crypt_provider_data->pPDSip->psIndirectData, the attackers corrupt the ASN1 numerical identifier (NID) of the SPC_INDIRECT_DATA_OBJID, an Authenticode specific Object Identifier (OID) that contains, for example, the message digest of the signed file.

The exploit results in a bypass of the security warning, which could potentially allow the attackers to execute malicious code on the victim's machine.

It seems that detecting the CVE-2022-44698 vulnerability early on would be challenging, as it involves a highly specific and complex set of circumstances.

However, one possible approach to detecting such vulnerabilities early on could be to use anomaly detection techniques to identify abnormal behavior patterns in the code. This could involve scrutiny and monitoring the application for any unusual behaviors or error messages that occur during the signature verification process. Any unexpected behavior, such as an error occurring when parsing the file's signature, could be flagged as potentially suspicious and investigated further.

Regular code audits and security assessments to identify any vulnerabilities or weaknesses in the application. This could involve analyzing the code for any potential issues related to signature verification, as well as reviewing the application's security features and policies.

To develop more robust and secure methods for signature verification that are less vulnerable to attacks such as the CVE-2022-44698 bypass. This could involve implementing additional checks and validation procedures to ensure that the signature is valid and has not been tampered with.

Overall, detecting vulnerabilities such as CVE-2022-44698 requires a combination of proactive monitoring, thorough code analysis, and ongoing security assessments. By implementing these measures, organizations can help reduce the risk of such vulnerabilities being exploited and improve the overall security of their systems.

Conclusion

The vulnerabilities in smartscreen.exe are serious and could allow attackers to bypass the security warning and run potentially malicious downloads. Microsoft has patched CVE-2022-44698, but the new bypass in CVE-2023-24880 shows that the code still has flaws that can be exploited in future !!