Serious Security Flaw in MS Win 8.1 - discovered by google dev - unpatched by ms since september&#33

[simonlang]

this security issue exists on a up2date ms win 8.1 and was known to ms since september, yet still unpatched

 

 

 

On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext.

This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.

It is just then a case of finding a way to exploit the vulnerability. In the PoC a cache entry is made for an UAC auto-elevate executable (say ComputerDefaults.exe) and sets up the cache to point to the app compat entry for regsvr32 which forces a RedirectExe shim to reload regsvr32.exe. However any executable could be used, the trick would be finding a suitable pre-existing app compat configuration to abuse.

It's unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable). No effort has been made to verify it on Windows 7. NOTE: This is not a bug in UAC, it is just using UAC auto elevation for demonstration purposes.

The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions. I'd recommend running on 32 bit just to be sure. To verify perform the following steps:

1) Put the AppCompatCache.exe and Testdll.dll on disk
2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
3) Execute AppCompatCache from the command prompt with the command line "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll".
4) If successful then the calculator should appear running as an administrator. If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

 

 

read here

[Max Norris]

Emphasis mine, it's no ShellShock:

We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.

[Argi]

Also, Microsoft virtually shuts down in December so in reality it's about 60 working days, not 90.  This bug doesn't really meet the urgent bar.

[Raa]

Emphasis mine, it's no ShellShock:

they would first need to have valid logon credentials and be able to log on locally to a targeted machine

 

So basically, any user of a networked computer would be able to do this.

Yeah, i'd say that's pretty bad.

 

[Mr. Gibs]

this security issue exists on a up2date ms win 8.1 and was known to ms since september, yet still unpatched

And theres a reason for that.

MS patches flaws in order of severity and whether or not it's currently being exploited in the wild. This flaw:

1. Is severe but you need valid login credentials and be able to login locally so that knocks it down a bit.

2. Is currently not being exploited in the wild.

So to MS this isn't as high of a priority as other bugs / flaws are. The 90 day automatic disclosure is incredibly disrespectful and dangerous because now it's open knowledge, and thus in the wild, and MS has to work to fix this flaw as well as all the other ones they're fixing. They essentially took a completely unknown bug and made it public knowledge.

[vcfan]

So basically, any user of a networked computer would be able to do this.

Yeah, i'd say that's pretty bad.

this affects admin accounts only

[Raa]

this affects admin accounts only

That wasn't the way I read it, but that's good to know!

[Max Norris]

That wasn't the way I read it, but that's good to know!

Exactly, it's obviously a problem that needs to be fixed but it's not a "holy crap everything's hanging out" situation either like some previous notable exploits, as the source says it's a UAC elevation exploit, something that regular users can't even use in the first place. In a properly secured environment regular users wouldn't even be able to do this, I wouldn't go around giving regular users sudo access either, that's just absurd, computer security 101. Very limited way this could actually be used as you'd have to be there, you'd have to have admin credentials, and it wouldn't affect network services like IIS and such. Small attack surface.. suppose you could probably craft a program to take advantage of this and email it to the target, but again it's basic computer security, don't run random you get in email, stuff like that.