Ofer For You (1)

Friday, 13 February 2015

Bypassing Windows Security by modifying 1 Bit Only

Bypassing Windows Security by modifying 1 Bit Only
Among several vulnerabilities, Microsoft on Tuesday patched a critical vulnerability that could be exploited by hackers to bypass security measures on all versions of Windows operating systems from XP to Windows 10, just by modifying a single bit.

The local privilege escalation vulnerability (CVE-2015-0057) could give attackers total control of the victims’ machines, explains Udi Yavo, the chief technology officer at the security firm enSilo.

"A threat actor that gains access to a Windows machine can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization," said Yavo.

INTERESTING PART OF THE FLAW
Yavo continued, "Interestingly, the exploit requires modifying only a single bit of the Windows operating system."
The flaw existed in the graphical user interface (GUI) component of the Win32k.sys module within the Windows Kernel which, among other things, manages vertical and horizontal Windows’ scroll bars. The flaw actually resides in the xxxEnableWndSBArrows function which could alter the state of both scroll bars through a call.

The researchers at the security firm managed to create an exploit for all versions of Windows and found that the desktop versions up to Windows 10 technical preview were affected by the vulnerability.

In an advisory, Yavo provided a detail technical analysis of the vulnerability and showed that even a minor bug can be used by remote attackers to gain complete control over any Windows operating system.

VIDEO DEMONSTRATION
Yavo included a proof-of-concept video, that doesn't actually disclose any sensitive code, but shows the privilege escalation exploitation on a machine running 64-bit Windows 10 Technical Preview. 

You can watch the video below:

The attack method can be used to bypass kernel protections such as Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), and NULL deference protection.

FUNNY PART
Yavo also found an ancient piece of code in calls within the horizontal scrollbar component of the xxxEnableWndSBArrows function to the xxxWindowEvent function, and the "funny" thing about it was that that it’s a dead code. This code he said had existed "for about 15-years doing absolutely nothing".

However, the vulnerability was patched by Microsoft on Tuesday. But, the company still hasn't addressed a recently disclosed Universal Cross-Site Scripting (UXSS) vulnerability affecting Internet Explorer that could allow malicious hackers to inject malicious code into users' websites and steal cookies, session and login credentials.

No comments:

Post a Comment