Jump to content

Welcome to Beyond Windows 9 - Portal to the Future
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!


Photo

Google Reveals Unpatched Security Vulnerability In Windows 8.1


  • Please log in to reply
1 reply to this topic

#1
Tetley

Tetley

    Tetley News

  • Global Moderator
  • 10,520 posts

Google Reveals Unpatched Security Vulnerability In Windows 8.1

 

A Google Researcher has revealed an unpatched security vulnerability in Windows 8.1. Google researcher has posted this bug on Google Security Research page and it is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

 

bfjiup.jpg

 

There is no information on whether Microsoft acknowledged the bug or whether they are working on it. But I feel it is an irresponsible move from Google to publish a vulnerability on products such as Windows 8 which is being used by millions of people everyday.

 

The following info was posted about the bug,
 
On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext.
 
This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.
 
It is just then a case of finding a way to exploit the vulnerability. In the PoC a cache entry is made for an UAC auto-elevate executable (say ComputerDefaults.exe) and sets up the cache to point to the app compat entry for regsvr32 which forces a RedirectExe shim to reload regsvr32.exe. However any executable could be used, the trick would be finding a suitable pre-existing app compat configuration to abuse.
It’s unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable). No effort has been made to verify it on Windows 7. NOTE: This is not a bug in UAC, it is just using UAC auto elevation for demonstration purposes.
 
The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions. I’d recommend running on 32 bit just to be sure. To verify perform the following steps:
 
1) Put the AppCompatCache.exe and Testdll.dll on disk
2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
3) Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll”.
4) If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.
 
 

  • dave, alfreire, cognizione and 5 others like this

5ULDs17.png


#2
cognizione

cognizione

    T.A.A.B # 2

  • Administrators
  • 7,520 posts

 

Update on December 31: A Microsoft spokesperson provided this statement: "We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."

Update 2 on December 31: A Google representative contacted us to point to a comment from the company on the disclosure posting. It states that Microsoft was notified of the finding on September 30, the date of the private posting. It goes on to say that the 90 day deadline policy Google Project Zero, the program under which this research was performed, has been public information since the formation of the program earlier in 2014. The comment then defends disclosure deadlines in principle; it should be noted that most bug bounty programs include such deadlines. HP TippingPoint's Zero Day Initiative, the biggest of them, has a standard four month deadline. Google says that they will monitor the effects of the policy to see if it merits adjustment.          zdnet

 


  • Snuffy, dave and Tetley like this

tGX16tl.png




"Live as if you were to die tomorrow. Learn as if you were to live forever."



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users