Attackers could get admin privileges on an unpatched system
Microsoft usually releases security fixes for its software, including the Windows operating system, on Patch Tuesday, but this time the company might have to move a bit faster because of a vulnerability that has been made public by a Google security engineer.
A Google researcher named forshaw found a critical security flaw in Windows 8.1 that would allow an attacker to get administrator privileges on any system, and at this point, there’s absolutely no workaround or patch available to address this issue.
forshaw has also posted a Proof of Concept (which you can read in full in the box after the jump) that demonstrates the vulnerability, pointing out that he’s not sure whether the same bug exists in Windows 7 or any other Windows version.
Microsoft knew about this issue
Even though some criticized forshaw for making this vulnerability public, it’s worth mentioning that Microsoft was contacted by the Google engineer soon after finding it in September 2014 as part of the Google Project Zero research program.
His post is dated September 30, and given the fact that Google Project Zero has a 90-day disclosure policy, the initial report went public, urging Microsoft to provide a patch for affected systems.
At this point, it’s not yet clear whether Microsoft is planning to wait until this month’s Patch Tuesday or release an out-of-band fix in the coming days. The January 2015 Patch Tuesday rollout takes place on January 13.
Bug confirmed, fix on its way
In a statement we received this morning, Microsoft confirms the issue and says that it’s already working on a fix.
Even though there’s no workaround available at this point, the company says that Windows users should keep anti-virus protection turned on all the time and enable firewalls to make sure that no exploits are being used against their computers.
Here is the official statement provided by Microsoft, and scroll down to read the whole advisory released by the Google security engineer.
“We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”
Updated on January 2, 2015 to state that there’s no patch available at the time of posting the article and all Windows 8.1 systems are vulnerable. There’s still no indication if other Windows versions are affected.
On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext.
This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.
It is just then a case of finding a way to exploit the vulnerability. In the PoC a cache entry is made for an UAC auto-elevate executable (say ComputerDefaults.exe) and sets up the cache to point to the app compat entry for regsvr32 which forces a RedirectExe shim to reload regsvr32.exe. However any executable could be used, the trick would be finding a suitable pre-existing app compat configuration to abuse.
It’s unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable). No effort has been made to verify it on Windows 7. NOTE: This is not a bug in UAC, it is just using UAC auto elevation for demonstration purposes.
The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions. I’d recommend running on 32 bit just to be sure. To verify perform the following steps:
1) Put the AppCompatCache.exe and Testdll.dll on disk
2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
3) Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:windowssystem32ComputerDefaults.exe testdll.dll”.
4) If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.