Bandisoft Bandizip Mark-of-the-Web Bypass Vulnerability

A Mark-of-the-Web (MotW) bypass vulnerability exists in Bandisoft Bandizip versions through 7.37. This vulnerability allows attackers to remove the MotW protection from files extracted from malicious archives, such as macro-enabled Office documents or executable scripts, enabling their execution without triggering security warnings. The issue arises because Bandizip fails to transfer the MotW tag to extracted files from archives that have been downloaded from the internet.

Impact

Exploitation of this vulnerability allows for the execution of malicious macros or scripts from extracted files, such as macro-enabled Office documents or executable files, without any security alerts. This could lead to unauthorized actions being performed on the user's system, such as executing harmful software or scripts that could damage data or compromise system security.

Reproduction

To reproduce this vulnerability, first create a malicious archive, such as a .zip or .7z file, containing a file that can execute harmful content, like a macro-enabled .docm document. Once the archive is created, download it from the internet, which will apply the Mark-of-the-Web. Afterward, open the archive with Bandizip version 7.37 and extract the contents. The extracted .docm file will not retain the MotW, allowing any macros to run without warning.