Jump to content
  • Exploited Windows zero-day lets JavaScript files bypass security warnings

    alf9872000

    • 430 views
    • 5 minutes
     Share


    • 430 views
    • 5 minutes

    An update was added to the end of the article explaining that any Authenticode-signed file, including executables, can be modified to bypass warnings.

     

    A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.

     

    Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.

     

    The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called 'Zone.Identifier,' which can be viewed using the 'dir /R' command and opened directly in Notepad, as shown below.

     

    dir-js-motw.jpg

    The Mark-of-the-Web alternate data stream - Source: BleepingComputer

     

    This 'Zone.Identifier' alternate data stream includes what URL security zone the file is from (three equals the Internet), the referrer, and the URL to the file.

     

    When a user attempts to open a file with the Mark-of-the-Web flag, Windows will display a warning that the file should be treated with caution.

     

    "While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software," reads the warning from Windows.

     

    calc-motw-warning(1).jpg

    Windows security warning when opening files with MoTW flags - Source: BleepingComputer

     

    Microsoft Office also utilizes the MoTW flag to determine if the file should be opened in Protected View, causing macros to be disabled.

    Windows MoTW bypass zero-day flaw

    The HP threat intelligence team recently reported that threat actors are infecting devices with Magniber ransomware using JavaScript files.

     

    To be clear, we are not talking about JavaScript files commonly used on almost all websites, but .JS files distributed by threat actors as attachments or downloads that can run outside of a web browser.

     

    The JavaScript files seen distributed by the Magniber threat actors are digitally signed using an embedded base64 encoded signature block as described in this Microsoft support article.

     

    magniber-js.jpg

    JavaScript file used to install the Magniber Ransomware - Source: BleepingComputer

     

    After being analyzed by Will Dormann, a senior vulnerability analyst at ANALYGENCE, he discovered that the attackers signed these files with a malformed key.

     

    Malformed signature in malicious JavaScript file

    Malformed signature in malicious JavaScript file - Source: BleepingComputer

     

    When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware.

     

    Dormann further tested the use of this malformed signature in JavaScript files and was able to create proof-of-concept JavaScript files that would bypass the MoTW warning.

     

    Both of these JavaScript (.JS) files were shared with BleepingComputer, and as you can see below, they both received a Mark-of-the-Web, as indicated by the red boxes, when downloaded from a website.

     

    mark-of-the-web.jpg

    Mark-of-the-Web on Dormann's PoC exploits - Source: BleepingComputer

     

    The difference between the two files is that one is signed using the same malformed key from the Magniber files, and the other contains no signature at all. 

     

    poc-exploits.jpg

    Dormann's PoC Exploits - Source: BleepingComputer

     

    When the unsigned file is opened in Windows 10, a MoTW security warning is properly displayed.

     

    However, when double-clicking the 'calc-othersig.js,' which is signed with a malformed key, Windows does not display a security warning and simply executes the JavaSript code, as demonstrated below.

     

    demo.gif

    Demonstration of the Windows zero-day bypassing security warnings - Source: BleepingComputer

     

    Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.

     

    BleepingComputer was able to reproduce the bug in Windows 10. However, for Windows 11, the bug would only trigger when running the JS file directly from an archive.

     

    Dormann told BleepingComputer that he believes this bug was first introduced with the release of  Windows 10, as a fully patched Windows 8.1 device displays the MoTW security warning as expected.

     

     
    According to Dormann, the bug stems from Windows 10's new 'Check apps and files' SmartScreen feature under Windows Security > App & Browser Control > Reputation-based protection settings.
     

    "This issue is in the new-as-of-Win10 SmartScreen feature.  And disabling "Check apps and files" reverts Windows to the legacy behavior, where MotW prompts are unrelated to Authenticode signatures," Dormann told BleepingComputer.

     

    "So that whole setting is unfortunately currently a tradeoff.  On one hand, it does scan for baddies that are downloaded."

     

    "On the other, baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled."

     

    The zero-day vulnerability is particularly concerning as we know threat actors are actively exploiting it in ransomware attacks.

     

    Dormann shared the proof-of-concept with Microsoft, who said they could not reproduce the MoTW security warning bypass.

     

    However, Microsoft told BleepingComputer that they are aware of the reported issue and are investigating it.

     

    Update 10/22/22

     

    After the publication of this article, Dormann told BleepingComputer that threat actors could modify any Authenticode-signed file, including executables (.EXE), to bypass the MoTW security warnings.

     

    To do this, Dormann says that a signed executable can be modified using a hex editor to change some of the bytes in the signature portion of the file and thus corrupt the signature.

     

     
    Once the signature is corrupted, Windows will not check the file using SmartScreen, as if a MoTW flag was not present, and allow it to run.

     

    "Files that have a MotW are treated as if there were no MotW if the signature is corrupt. What real-world difference that makes depends on what type of file it is," explained Dormann.

     

    Source

    • Like 3

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...