![]() ![]() The patch doesn't raise an error in the specific case mentioned in CVE-2022-44698 but takes an alternative path, which attackers can use to exploit other potential errors. Microsoft patched CVE-2022-44698 in smartscreen.exe, but the new patch is also vulnerable. This results in WTGetSignatureInfo returning a NULL value for CERT_CONTEXT. The attackers create an Authenticode signature where the SignerInfo certificate serial number cannot be found among the SignedData certificates, leading to wintrust.dll not being able to find the certificate for the signer. If crypt_provider_data and its member hMsg are non-NULL, but CERT_CONTEXT is NULL, an E_INVALIDARG error is raised. The function then calls WTHelperProvDataFromStateData on wvt_state_data, which returns a CRYPT_PROVIDER_DATA structure pointer. For a well-formed signature, the CERT_CONTEXT points to the signer certificate. This function calls WTGetSignatureInfo in wintrust.dll to retrieve a CERT_CONTEXT structure pointer and a HANDLE wvt_state_data. The error is raised while parsing the file's signature in the windows::security::signature_info::retrieve function of smartscreen.exe. When the SmartScreen request returns an error, it triggers the behavior described in the vulnerability, bypassing the security warning. The JScript file is then executed on the victim's machine. The attacker creates a JScript file with a malformed signature that triggers an error in the SmartScreen request. Uncovering the SmartScreen Bypass To bypass SmartScreen, attackers create a JScript file with a malformed signature that triggers an error in the SmartScreen request. Uncovering the SmartScreen Bypass: How Attackers Exploit CVE-2022-44698 and CVE-2023-24880 They corrupted the ASN1 numerical identifier (NID) of the SPC_INDIRECT_DATA_OBJID to obtain a NULL crypt_provider_data->pPDSip->psIndirectData, triggering the error. In this case, the previous patch is not applicable. They used a signature that leads to a valid cert_context. If not, it calls THROW_HR, which will return an error to shdocvw.dll.īypass The attackers exploited the same flaw in the code that was left open by the patch for CVE-2022-44698. It checks if crypt_provider_data->pPDSip->psIndirectData is non-NULL. Specifically, in the function windows::security::authenticode_information::create, which is called by windows::security::signature_info::retrieve. However, this patch is not foolproof, as attackers found a way to return an error to shdocvw.dll, which will fail open and not display a security warning.ĬVE-2023-24880 - Root Cause Analysis CVE-2023-24880 is another error in smartscreen.exe. Microsoft patched CVE-2022-44698 by not raising an error in this specific case, but rather taking an alternative path. This leads to wintrust.dll not being able to find the certificate for the signer, in which case WTGetSignatureInfo will return a NULL value for cert_context, triggering the error. An error is raised if crypt_provider_data and its member hMsg are non-NULL, but cert_context is NULL.īypass The attackers exploited this error by providing an Authenticode signature with a signer certificate serial number that cannot be found among the SignedData certificates. Next, the function calls WTHelperProvDataFromStateData on wvt_state_data, which returns a CRYPT_PROVIDER_DATA structure pointer crypt_provider_data. It calls WTGetSignatureInfo in wintrust.dll to retrieve a CERT_CONTEXT structure pointer cert_context and a HANDLE wvt_state_data. This function retrieves information about the digital signature of a file, including the signer certificate. In this blog, we will take a detailed look at both vulnerabilities and explore their root cause and bypass mechanisms.ĬVE-2022-44698 - Root Cause Analysis: The root cause of CVE-2022-44698 is an error in the function windows::security::signature_info::retrieve of smartscreen.exe. Microsoft has already patched this vulnerability, but the attackers found a new bypass in CVE-2023-24880 that exploits a different part of the code. The vulnerability in question is CVE-2022-44698, which allows attackers to bypass the security warning by providing a JScript file with a malformed signature. SmartScreen, a crucial feature of Windows that warns users about potentially malicious downloads, has been exploited again by attackers. Microsoft SmartScreen Exploited again !!. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |