Windows 0day allows malicious code execution

MrBrian · Nov 24, 2010

http://www.theregister.co.uk/2010/11/24/windows_0day_report/

Antimalware provider Prevx has sounded the alarm about a serious vulnerability in fully patched versions of Microsoft Windows. It allows attackers to execute malware, even in versions designed to withstand such exploits.

Technical details have already been published on a Chinese forum, leading to speculation that it won't be long before attackers exploit it in the wild.
Click to expand...

trismegistos · Nov 25, 2010

New Windows zero-day flaw bypasses UAC

http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/

New Windows zero-day flaw bypasses UAC
by Chester Wisniewski on November 25, 2010 | 4 Comments

Filed Under: Featured, Video, Vulnerability

A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to "system," and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.

[Proof of concept for elevation of privilege exploit]
The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.

There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:
As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
Right-click EUDC and choose permissions
Choose the user whose account you are modifying and select Advanced
Select Add and then type in the user's name and click OK
Click the Deny checkbox for Delete and Create Subkey
Click all the OKs and Apply buttons to exit

[Registry permissions for mitigation]

The registry keys being changed by this mitigation should not impact a user's ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.

The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.

Update: Sophos detects the proof of concept as Troj/EUDPoC-A. Stay tuned for further details as they become available.

I've also created this video showing how it works and what you can do.
Click to expand...

Triple Helix · Nov 24, 2010

More info here: https://www.wilderssecurity.com/showthread.php?p=1788801#post1788801

TH

Dogbiscuit · Nov 25, 2010

A vulnerability has been identified in Microsoft Windows, which could be exploited by local attackers to take complete control of a vulnerable system. This issue is caused by a buffer overflow error within the "win32k.sys" driver when processing certain registry values stored as "REG_BINARY", which could allow unprivileged users to crash an affected system or execute arbitrary code with kernel (SYSTEM) privileges by manipulating the "SystemDefaultEUDCFont" registry value and enabling support for end-user-defined characters (EUDC) via the "EnableEUDC()" function.
Click to expand...

http://www.vupen.com/english/advisories/2010/3058

treehouse786 · Nov 25, 2010

so does anyone know if having UAC on maximum on win7 prevents this attack?

EraserHW · Nov 25, 2010

treehouse786 said:

so does anyone know if having UAC on maximum on win7 prevents this attack?
Click to expand...

no it doesn't

Jav · Nov 25, 2010

The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.
Click to expand...

So, I guess, it means not just bypass of UAC but LUA aswell?

EDIT: nevermind, found the answer and yes it can.

safeguy · Nov 25, 2010

I have followed the mitigation provided by Sophos as a precautionary measure

There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:

1. As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
2. Right-click EUDC and choose permissions
3. Choose the user whose account you are modifying and select Advanced
4. Select Add and then type in the user's name and click OK
5. Click the Deny checkbox for Delete and Create Subkey
6. Click all the OKs and Apply buttons to exit
Click to expand...

If you don't know which SID is for which user account, then this would help you figure it out:

How to Associate a Username with a Security Identifier (SID)

The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced.
Click to expand...

Source: http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/

Being a privilege escalation exploit, it bypasses by design even the protection given by the User Account Control and Limited User Account technology implemented in Windows Vista and Windows 7.
Click to expand...

Source: http://www.prevx.com/blog/160/New-Windows-day-exploit-speaks-Chinese.html

Question remains: Does it bypass SRP and Applocker? If cmd.exe, regedit.exe is blocked by SRP, would the exploit still work? What about DEP, SEHOP, ASLR, etc? Questions, questions and more questions...

I need answers from those who know or are going to test the POC.

Dogbiscuit · Nov 25, 2010

safeguy said:

Does it bypass SRP and Applocker?
Click to expand...

It's a local vulnerability, meaning you (or a user on your system) must first run the exploit code somehow before it can do anything, unless it's combined with another exploit.

trismegistos · Nov 26, 2010

Dogbiscuit said:

It's a local vulnerability, meaning you (or a user on your system) must first run the exploit code somehow before it can do anything, unless it's combined with another exploit.
Click to expand...

In the latter case, much like Stuxnet with its 4 zero days, the first 2 to break into the system and to spread to the networks and the other two, privilege escalation(s), to elevate rights.

A targetted attack scenario is to combine zero day arbitrary remote code execution with this zero day kernel exploit to have the fearsome and nightmarish scenario of "no user interaction" to bypass AE/UAC/SRP/LUA/AL/AV/HIPS(if not configured to block malicious dll loading barring Didier Steven' dll loading in memory).

Log in or Sign up

Windows 0day allows malicious code execution

MrBrian Registered Member

trismegistos Registered Member

Triple Helix Specialist

Dogbiscuit Guest

treehouse786 Registered Member

EraserHW Malware Expert

Jav Guest

safeguy Registered Member

Dogbiscuit Guest

trismegistos Registered Member

Log in or Sign up

Windows 0day allows malicious code execution

MrBrian Registered Member

trismegistos Registered Member

Triple Helix Specialist

Dogbiscuit Guest

treehouse786 Registered Member

EraserHW Malware Expert

Jav Guest

safeguy Registered Member

Dogbiscuit Guest

trismegistos Registered Member

Useful Searches