The cyber innovator sees the UK is an ideal location to realize its global ambitions as it opens a SOC at the Plexal Innovation Hub
Related Posts
New Windows False File Immutability Vulnerability Let Attackers Execute Arbitrary Code
New Windows False File Immutability Vulnerability Let Attackers Execute Arbitrary Code
A new unnamed vulnerability class has been detected in the Windows 11 Kernel that could allow a threat actor to execute arbitrary code with Kernel privileges.
This vulnerability, named “File Immutability,” exists due to incorrect assumptions in the design of the Core Windows feature. These assumptions can result in undefined Behaviour and security vulnerabilities.
The list of components and concepts associated with this “File Immutability” vulnerability is as follows:
Windows File sharing – Full set of access right
Memory Manager – treats PE-relocated pages as unmodified, dynamically reapplying relocations during page faults.
Sharing enforcement – the responsibility of the filesystem driver to call IoCheckShareAccess or IoCheckLinkShareAccess to see whether the requested DesiredAccess/ShareMode tuple is compatible
Authenticode – describes a way to employ cryptography to “sign” PE files
Code Integrity – validates signatures in the kernel
Incorrect assumptions – implies that files successfully opened without write sharing can’t be modified by another user or process.
Page hashes – list of hashes of each 4KB page within a PE file
Network redirectors – allow the use of network paths with any API that accepts file paths
Protected Process Light (PPL) – Anti-Malware services run as Protected Process Light (PPL), protecting them from tampering by malware with admin rights, so the ransomware can’t terminate the Anti-Malware service.
An attacker can utilize this false file immutability by employing a network redirector to modify PPL’s DLL Server-side and bypass sharing restrictions.
In this case, the PE’s backing an executable image are incorrectly assumed to be immutable. However, this class of vulnerability is called “False File Immutability.”
Further, this vulnerability was also presented at Black Hat Asia 2023. A Windows Kernel vulnerability was disclosed, indicating how bad assumptions in paging can be exploited to inject code into PPL by defeating security features like LSA and Anti-Malware Process Protection.
The attack used False File immutability assumptions for DLLs in PPLs for the presented scenario.
New Research
This new vulnerability report, published by Elastic Security, uses authenticode signatures embedded within PE files, which use a detached signature called Security Catalog.
Every PE with an authentihash in the list is considered to be signed by that signer to which Windows keeps a large collection of catalog files in C:WindowsSystem32CatRoot.
Initially, the CI (Code Integrity) maps the file into kernel memory using ZwOpenFile, ZwCreateSection, and ZwMapViewOfSection and then validates the catalog’s digital signature using CI!MinCrypK_VerifySignedDataKModeEx.
If the signature is valid, it parses the hashes with CI!I_MapFileHashes.
After this, the file is opened without FILE_SHARE_WRITE, which means the write sharing is denied.
However, this is intended to prevent modification of the security catalog during processing. Nevertheless, this is a bad assumption and another example of False File Immutability.
Attack Planning
The attack flow starts with an attacker planting a security catalog on a storage device they control.
Then, they will install a symbolic link to this catalog in the CatRoot directory to ensure Windows can find it.
Proceeding further with the attack, the attacker can perform the following actions to exploit this vulnerability:
Asks the Kernel to load a malicious unsigned Kernel driver
Code Integrity attempts to validate the driver, but it can’t find a signature or trusted authentihash, so it re-scans the CatRoot directory and finds the attacker’s new catalog.
CI maps the catalog into kernel memory and validates its signature. This generates page faults, which are sent to the attacker’s storage device. The storage device returns a legitimate Microsoft-signed catalog.
The attacker empties the system working set, forcing all the previously-fetched catalog pages to be discarded.
CI begins parsing the catalog, generating new page faults. This time, the storage device injects the authentihash of their malicious driver.
CI finds the malicious driver’s authentihash in the catalog and loads the driver. At this point, the attacker has achieved arbitrary code execution in the kernel.
Double Read Vulnerability and Attack
This vulnerability can arise when the victim code reads the same value from an attacker-controlled buffer more than once.
The threat actor may change the value of this buffer between the reads, resulting in unexpected victim behavior.
However, the attack pattern can be executed by setting a packet’s structure’s length field to 16 bytes and then signaling the server to indicate that a packet is ready for processing.
The victim server wakes up and allocates a 16-byte buffer using malloc(pPacket->length). The attacker then changes the length field to 32.
Next, the victim server attempts to copy the packet’s contents into the the new buffer by calling memcpy(pBuffer, pPacket->data, pPacket->length), re-reading the value in pPacket->length, which is now 32.
The victim ends up copying 32 bytes into a 16-byte buffer, overflowing it.
Affected Operations
OperationAPIMitigationsImage SectionsCreateProcess LoadLibrary1. Enable Page HashesData SectionsMapViewOfFile ZwMapViewOfSection1. Avoid double reads 2. Copy the file to a heap buffer before processing 3. Prevent paging via MmProbeAndLockPages/VirtualLockRegular I/OReadFile ZwReadFile1. Avoid double reads 2. Copy the file to a heap buffer before processing
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
The post New Windows False File Immutability Vulnerability Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.
A CIA Psychologist on the Minds of World Leaders, Pt. 1 with Dr. Ursula Wilder
A CIA Psychologist on the Minds of World Leaders, Pt. 1 with Dr. Ursula Wilder
Dr. Ursula Wilder joins Andrew Hammond to discuss the intersections between psychology and intelligence. Ursula is a clinical psychologist with over two decades of experience working at the Central Intelligence Agency. Read More
The CyberWire
Hackers Abusing Windows Search Feature to Install Remote Access Trojans
Hackers Abusing Windows Search Feature to Install Remote Access Trojans
A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT.
The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local Read More
The Hacker News | #1 Trusted Cybersecurity News Site