Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Mark of the Web (MOTW) is used on Windows to say if something was downloaded from the internet. For executables, zip files and other things, this is an important thing to mitigate many attack vectors. In practice, browsers will add an Alternate Data Stream (ADS) named Zone Identifier.

The author noticed a video on Twitter demonstrating a vulnerability where a downloaded zip file was not getting the MOTW flag. One of these was tricky using other file extensions that use zip under the hood (APK, ISO, etc.) and the other was simply a zip file. Microsoft had let the 90 day deadline pass so the video was posted. The author of this post wondered - can I replicate this?

From the video, the extraction bug ONLY occurs when explorer.exe is doing the handling. Additionally, from the video, the zip file itself has the MOTW but the extracted files do not. By looking at hooks and functions being executed, the author found the function ExtractFromZipToFile() within the DLL zipfldr.dll.

To find out what function was responsible for the MOTW functionality, they reverse engineered things and NOPed out a few function calls. From doing this, they noticed that if the function CheckUnZippedFile was skipped then the MOTW flag wouldn't be added to the files. So, how do we skip this function or bypass the flag adding?

The author attempts to trigger errors via weird characters, long file names and other things in order to bypass the flag adding to the files. Since none of these worked, the author found a live sample of this bypass and reverse engineered the sample.

Reverse engineering the sample led them down a rabbit hole of different functions. Eventually, when they found Alice, they came out of it with an interesting note: the files that were not getting flagged were marked as Read Only. Since the flag is technically writing to the file, the flag writing would occur with an access denied error.

The bug turned out to be very simple but required a good understanding of zip and Windows Internals. Overall, a good writeup with some good Windows reverse engineering tips.