Updated with Q&A section at the bottom.
As referenced in my last post, a public release proof of concept (POC) for bypassing the User Access Control (UAC) feature on Windows Vista and 7 operating systems is in the wild. The vulnerability is a buffer overflow in kernel (win32k.sys). The vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key.
The author’s PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges). The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable code in win32k.sys.
According to the author of the POC code ,” I found a registry key which can be manipulated with only user rights, by changing its type to
REG_BINARYoverflows the kernel. WhenWin32k.sys->NtGdiEnableEudcqueriesHKCUEUDC[Language]SystemDefaultEUDCFontregistry value, it assumes that the registry value isREG_SZ, so the buffer provided on stack is aUNICODE_STRINGstructure, of which the firstULONGvalue in this structure represents the length of the string buffer, but if the value in registry isREG_BINARYtype, it will be wrongly interpreted as the length of the given buffer, thus overwrites the stack.”
POC Test:
Version Windows 7 Professional
Steps:
- I first created a standard none privileged user, and from the command prompt typed “whoami” to identify my user, I then typed “net users” to few all available users on the system. Lastly I tried to create a new user with “NET USER testhack P@$$w0rd /add” and received access denied as expected.
- Next download the POC code, and extract it to a folder of your choice, then from the command prompt change directory to that folder and execute the “poc.exe” file. From here on you will have escalated privileges of the “nt/system user”.
At this point it’s GAME OVER!!
Updated with a few questions I emailed the author of the POC exploit
Me: How did you get your start in information security?
POC Author: By the randomness of the universe, I started one day when I discovered debugging
Me: How long have you been doing exploit development?
POC Author: I’ve been doing reverse engineering since 2004 but not exclusively in exploit development.
Me: How did you discovered this flaw?
POC Author: By chance when I read WDK or windows driver kit code samples
Me: What steps did you take to notify the vendor about this issue? What time line did Microsoft give for a patch to this issue?
POC Author: This flaw was reported with enough detail and the same PoC released on the internet to Microsoft Security Response Center MSRC. They didn’t give a time line. Actually the guy who was issued to work on this never contacted me!
Me: Since this disclosure were you contacted by Microsoft or anyone else who were upset about your decision to disclose this flaw?
POC Author: No, despite the fact that my initial CodeProject article were brought down, probably due to the pressure from MS.
Me: Realistically how long do you think it will take before this flaw is patched?
POC Author: First of all I wouldn’t pick a day before Thanksgiving to publish this if I’m not mad enough that this flaw remains unpatched almost a year since Microsoft’s first acknowledge. Due to the nature that the flaw is from the design of an API, and it has been widely used by third party drivers, probably this won’t be entirely fixed until Windows 8. But meanwhile, MS could have taken measures to block such exploits, such as restricting the API not to query certain types of value to avoid ambiguity.
Me: Were you giving a reason by codeprojects for pulling your posting?
POC Author: Yes, they give me the responsible disclosure thing.
Additional comments by author:
If I have to keep my mouth shut until MS release a patch for such exploit, then probably everyone will be threatened more than now, because from what I know, there had been malware which use this exploit since August, not none said by some security companies. Those exploit a registry key ActiveTimeBias which works perfectly on all versions of Windows, to bypass proactive defense and execute malicious code.
I must say thank you for answering my questions and I support your decision for releasing this PoC and details about the flaw, if MS was given a full year to take care of this and they didn’t even respond to you why should you keep quiet!
References:
Securitybasix 