Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213). The vulnerability was released as part of the August Microsoft Patch Tuesday (although ZDI writes that MS fixed it earlier, in June).
The vulnerability allows attackers to bypass the SmartScreen security feature, which protects users from running potentially malicious files downloaded from the Internet.
What is it about? There is a set of extensions over HTTP for collaborative work with files – WebDAV.
🔹 The WebDAV share can be accessed via a web browser::
http://10_.37.129.2/example_webdav_folder/somefile
🔹 Or you can do it via Windows Explorer (like SMB):
\\10_.37.129.2@80\example_webdav_folder
When copying from the WebDAV share via Windows Explorer, the Mark-of-the-Web label was not set. 🤷♂️ That’s why the name is “Copy2Pwn”. 😏
According to ZDI, the vulnerability has been exploited by the DarkGate malware operator since at least March 2024.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.