In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584

We discussed this vulnerability during Episode 225 on 20 November 2023

There is a lot going on in this post, the novel aspect are a few Mark-of-the-Web (MotW) bypasses, those MotW bypasses were found while exploring an in-the-wild exploit chain which is also covered here.

So Mark-of-the-Web is a bit of extra data attached to a file to mark it as having come from the internet. On Windows if you’ve ever seen that prompt that basically says “Hey, you downloaded this from the internet, are you sure you want to run it?” that is MotW in action. I believe this is related more generally to the Zone.Identifier added to a file’s Alternate Data Stream (a NTFS feature to attach data to a file, but not in the file itself). A file with a local intranet zone id has access to more features than one from the internet zone. So being able to bypass the MotW can mean the file can be run with more privileges.

CVE-2023-36584 - Mark of the Web Bypasses

What they found was several Time-of-check Time-of-Use (TOCTOU) vulnerabilities in the applying of the MotW onto files extracted from a ZIP archive by Microsoft’s Compressed Folder module (zipfldr.dll). The first step in extracting files is that the ZIP’s header will be read, this includes the filenames mapping to their index inside the zip. And then you can use an API call to extract a file by its index. Then once extracted the MotW is added.

The first technique, and the technique that is believe to have been used in the wild is by having the ZIP being read be from a network location, and swapping out the ZIP content after the header has been read. When it goes to read at a particular index, it will be extracting a different file with a different filename. When the MotW is added however it uses the filename it got from the header, and so it doesn’t match any file and the newly extract file doesn’t get the MotW.

They also found two other techniques that rely on introducing a delay in the read/write process long enough to have another application open the file before the MotW is applied. This could be done by delaying the Close operation on the server side, or by having a very long file with extraneous and unnecessary information at the end. The more content the longer it takes to read and extract creating a larger Window.