Uncovering the Copy2Pwn Vulnerability: Bypassing Windows Protections

Security experts have recently uncovered a critical vulnerability, CVE-2024-38213, that poses a significant threat to Windows users. This vulnerability, known as “copy2pwn,” allows threat actors to bypass Windows’ Mark-of-the-Web (MotW) protections through simple copy-and-paste operations.

The exploit targets Web-based Distributed Authoring and Versioning (WebDAV) shares, which can be accessed through web browsers or mounted as Windows Explorer paths. By leveraging this vulnerability, threat actors can host malicious payloads on WebDAV shares and evade built-in Microsoft protections like Windows Defender SmartScreen.

The Mark-of-the-Web is a crucial security feature in Windows that applies an NTFS Alternate Data Stream (ADS) to files downloaded from the internet, triggering additional security checks and prompts to reduce the risk of executing untrusted content. Without the MotW designation, protective mechanisms like Windows Defender SmartScreen and Microsoft Office Protected View become ineffective, leaving users vulnerable to malicious attacks.

Researchers from the Zero Day Initiative (ZDI) Threat Hunting team have observed an uptick in malicious campaigns exploiting WebDAV shares, with threat actors using specific Windows search queries to control the files displayed in the share. This tactic allows attackers to disguise malicious files as harmless ones, increasing the likelihood of successful attacks.

To address this vulnerability, Microsoft released a security patch in June 2024 to fix CVE-2024-38213. Users are advised to exercise caution when accessing WebDAV shares and remain vigilant when copying and pasting files from these sources to prevent falling victim to copy2pwn attacks. Stay informed and stay safe in the ever-evolving landscape of cybersecurity threats.