A system-level privilege gain vulnerability has been found in Windows. Current Windows vulnerability
SpecterOps researcher Matt Nelson wrote in a corporate blog about how to bypass the security features of Windows 10 and execute third-party code, reports Threatpost.
The vulnerability turned out to be associated with a new format of system links that replaced the classic control panel in the latest version of the OS.
According to the expert, he set himself the goal of finding a file type that would allow him to run code from an external source. To penetrate the system, Nelson decided to use the Object Linking and Embedding (OLE) function. It allows applications to receive data from outside and add executable objects, such as a Flash application to a Word document. Attackers take advantage of this to carry out targeted attacks, steal confidential information, and distribute malware.
For user safety, starting with MS Office 2016, developers have limited the set of formats that OLE technology can work with. In addition, the Attack Surface Reduction (ASR) feature blocks the launch of child processes using scripts built into the document.
“I spent many hours looking for new formats that would allow code execution,” says the expert. “I eventually came across *.SettingContent-ms - such files allow users to change Windows 10 settings through links on a special page.”
Nelson found out that these were, in fact, ordinary XML documents, and found in their code a tag responsible for opening a specific setting when clicking on the corresponding shortcut. As it turned out, you can register any executable file in it, and the system will launch it without any warnings. Moreover, Nelson was able to build a chain of commands in this way - this means that the attacker can hide malicious activity by opening the page that the victim of the attack expects to see.
To deliver a dangerous script to a machine, it is enough to lure the user to a compromised web page. According to the expert, standard Windows security systems allowed him to download and run the file without seeing any suspicious properties in it.
Moreover, since the .SettingContent-ms format is not on the blacklist of potentially malicious extensions, the OS allows it to launch child processes. As a result, even computers with maximum security settings are at risk, the expert says.
Nelson reported the vulnerability to Microsoft in February. In June, Microsoft Security Response Center experts recognized the flaw as not serious enough to warrant a separate review and closed the issue.
According to experts, upcoming Windows security updates may prevent the execution of .SettingContent-ms files via OLE.
A 0-day vulnerability that allows attackers to gain system-level rights. The problem was reported by a Twitter user with the nickname SandboxEscaper. The exploit PoC code is available on GitHub.
Current Windows vulnerability
The problem is with the Windows Task Scheduler. When processing ALPC for interprocess communication, it is possible to gain SYSTEM level privileges. It can be used by attackers to enhance the capabilities of malware.
According to the head of the CERT coordination center, Will Dormann, the vulnerability remains relevant. The functionality of the PoC code was tested on 64-bit Windows 10 with the latest updates. You can increase user rights to the SYSTEM level.
I"ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM! https://t.co/My1IevbWbz
In response to a letter from The Register, a Microsoft representative announced that they are aware of the problem. The company promised to release an update that fixes the vulnerability.
Temporary patch
Acros Security engineers published a temporary patch for a vulnerability in the 64-bit version of Windows 10 v1803 as part of their 0patch platform. It is designed to fix 0-day and other unpatched vulnerabilities, to support outdated products and custom software. The developers published a similar patch for Windows 2016 Server on August 31, 2018.
Similar problems arise on Unix-like systems. In June 2017, there was a bug that allowed you to gain root privileges using the sudo command.
Microsoft has provided a fix for a dangerous vulnerability that allows NTLM password hashes to be stolen without any user interaction (bulletin ADV170014). However, so far the vulnerability has been fixed only in Windows 10 and Server 2016, and Colombian cybersecurity specialist Juan Diego, who discovered the bug, has still not been able to figure out what exactly causes the problem.
Exploiting the vulnerability is very simple and does not require any technical training or knowledge. An attacker simply needs to place a malicious SCF (Shell Command File) file in a publicly accessible Windows directory. After that, thanks to some mysterious bug, the file will be executed, collect the NTLM hash and send the collected data to the attacker’s server. After this, the attacker will only have to crack the resulting hash.
Fortunately, for most users such attacks do not pose a threat. The fact is that by default, public folders in Windows are password protected, and the presence of a password immediately puts an end to an attack. However, in his blog, Diego notes that many schools, public networks and businesses do not set passwords for public directories. In addition, the patches are only available to users of Windows 10 and Windows Server 2016, while other versions of the OS are still vulnerable.
At the same time, Diego still cannot understand how exactly this bug works. The researcher explained in detail to Bleeping Computer journalists that SCF files support a limited set of commands for Windows Explorer (for example, opening a Windows Explorer window or going to the Desktop - Show Desktop). But if earlier attacks using SCF assumed that the bug would work when the victim opened the target folder, this time Diego discovered that the malicious command from the SCF file was triggered immediately after placing the malware in the directory. That is, the attacker does not even need to wait for the user to open the desired shared folder.
“This attack works automatically. But the underlying problem that triggers it is still unknown to me. Microsoft is secretive about this,” says the specialist.
Diego reports that he is already working on other ways to exploit the vulnerability. And although in Microsoft's classification bulletin ADV170014 is advisory and not mandatory, the researcher strongly recommends that users not neglect these patches and update.