0-day exploit speaks Chinese, bypasses UAC

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

0-day exploit speaks Chinese, bypasses UAC

Post by DarthTrader on 25/11/2010, 22:21

www.prevx.com/blog/160/New-Windows-day-exploit-speaks-chinese.html

Posted by: Marco Giuliani

This isn't exactly what could be defined a lucky year for Microsoft. If Windows 7 sales are booming, on the other hand the operating system made-in-Redmond has been hit hard by a lot of targeted attacks during these months. Aurora exploit is just the first of the year, but the most serious attack has definitely been the Stuxnet case. Finding a 0day exploit is always difficult, but using four 0day exploits all together is actually impressive.

Yesterday another serious 0-day flaw has been publicly disclosed on a Chinese board.

This is a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem. It is a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode.

Win32k.sys's NtGdiEnableEUDC API is not rightly validating some inputs, causing a stack overflow and overwriting the return address stored on the stack. A malicious attacker is able to redirect the overwritten return address to his malicious code and execute it with kernel mode privileges.

Being a privilege escalation exploit, it bypasses by design even the protection given by the User Account Control and Limited User Account technology implemented in Windows Vista and Windows 7. All Windows XP/Vista/7 both 32 and 64 bit are vulnerable to this attack.
[...]

PoC:
http://68.233.235.195/kmax/security-uac.aspx.htm

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 26/11/2010, 00:23

Yes, I read about this yesterday and just got hold of the POC myself. Seems to work fine in my freshly installed Windows 7 Professional 32-bit Virtual Machine, Administrator account with default UAC level.

Before executing the POC, when I type "whoami" in a command prompt, I receive the name of my user account - this means I have the rights established within the user account only. After executing the POC, I have system level rights. Interesting stuff. I may have something here to test against various anti-malware applications.

EDIT: I'll be testing the POC against applications like Sandboxie and DefenseWall, but I'm not going to post individual results unless something unexpected comes about.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 26/11/2010, 01:04

DefenseWall 3.09 Beta: After executing the POC as "Untrusted", the entire system freezes for a period of time. Then, the system appears to reboot itself and a BSOD error comes up once back in Windows. A rights level check in command prompt shows that the user rights have not changed, and therefore DefenseWall prevented the POC's main aim. However, DefenseWall users may not enjoy the spontaneous system freeze and BSOD caused by this POC.

Standard User Account + UAC: BYPASSED

SRP (setup as described here: http://www.mechbgon.com/srp/ ): BLOCKED
This exploit has been described as a privilege escalation attack, so I'm not sure if the exploit could be manipulated so that it doesn't have to be initially executed via a PE executable. As I've said before though, I keep hearing of these so called "privilege escalation attacks", but I never can find one that actually bypasses SRP. Sure, this exploit works in a Limited/Standard User Account and once executed, allows further execution of programs at root level (and therefore I suppose it's a privilege escalation exploit by definition), but how does it execute itself initially to bypass the SRP in the first place? If it can't even execute in the first place, then it's a pretty useless exploit for those who run LUA + SRP or equivalent.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by DarthTrader on 26/11/2010, 04:05

The PoC will not run under XP and that's all I have, so I can't test it at all. What happens when you try it under the Guest account?

DarthTrader

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 26/11/2010, 04:20

The exploit is successful in a Guest account too, although it seems to make the system unstable afterwards if you test the user rights by entering "whoami" in a command prompt.

However, the exploit does successfully work in a Guest account. I can see many people around the world abusing this right now haha. Perhaps this POC should never have been released so publically. Here's a possible scenario:

1. Visitor comes to person's home
2. Person lets visitor use his/her computer under a "Guest" account in Windows 7
3. Visitor downloads the above POC
4. Visitor executes the POC in the "Guest" account (this is not hard to do - simply double click the executable file...UAC doesn't make a sound)
5. The POC allows the command prompt to run with full system privileges
6. Visitor downloads a program from the internet
7. Visitor opens command prompt and successfully executes and installs the program

I just tested the above scenario under Windows 7 Professional, 32-bit, Guest Account - I ran the POC, then downloaded CCleaner. After opening a command prompt, I was able to successfully install and run CCleaner...all while in a Guest Account, and not one pop-up came from UAC.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by DarthTrader on 26/11/2010, 05:18

Gadzooks! Thanks for testing!

EDIT:
According to this blog, Prevx free version now protects against this exploit:
http://www.prevx.com/blog/162/Windows-day-exploit-QA-session.html

DarthTrader

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 26/11/2010, 05:48

DarthTrader wrote:Gadzooks! Thanks for testing!

EDIT:
According to this blog, Prevx free version now protects against this exploit:
http://www.prevx.com/blog/162/Windows-day-exploit-QA-session.html

DarthTrader
Very welcome. With regards to Prevx protecting against zero-day exploits...well, Prevx would have failed against this one initially. Now that it's no longer zero-day, and with yet another Prevx release to "patch vulnerabilities", it of course passes.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by aigle on 26/11/2010, 13:04

hi, thanks for testing. Can you try geswall? What about classical HIPS like comodo?
Thanks
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 26/11/2010, 13:10

Hi aigle, as expected, GeSWall passes nicely - unlike DefenseWall, there is no system freeze and no spontaneous reboot. The same applies for Sandboxie. With regards to Classical HIPS, I am pretty sure all would pass. I'll test it out some time just to confirm.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by languy99 on 26/11/2010, 13:53

I also want to see comodo. Though I think it will do just fine.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by aigle on 26/11/2010, 16:53

ssj100 wrote:Hi aigle, as expected, GeSWall passes nicely - unlike DefenseWall, there is no system freeze and no spontaneous reboot. The same applies for Sandboxie. With regards to Classical HIPS, I am pretty sure all would pass. I'll test it out some time just to confirm.
thanks for that. Nice to know.

Thanks again
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 27/11/2010, 09:17

Just tested COMODO Internet Security 5.0.162636.1135 and it is bypassed in default configuration. The POC executable is sandboxed as partially limited (as shown below), but the POC is able to achieve what it intended.


However, I'm fairly sure CIS version 3 (and versions 4 and 5 configured appropriately) would have blocked this exploit easily by throwing up a Defense+ alert.

EDIT: Do keep in mind I am using VirtualBox to do my testing. I have heard that CIS version 5 does not perform properly in VirtualBox, so perhaps take my testings with a grain of salt. Cheers.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 27/11/2010, 09:31

Okay, I changed settings to the "Proactive" configuration and disabled the CIS Sandbox component. Following this, CIS, like with any Classical HIPS, throws up the below pop-up, and the POC is easily blocked:


However, it's hard to know for sure whether CIS in this configuration would show an alert if a non PE executable was used instead. Regardless, this is perhaps one big reason why proper sandboxing technology (Sandboxie) with a good "security approach" is more powerful than even a well configured Classical HIPS - it doesn't matter what or how something is executed/exploited - everything should still be contained and easily discarded (with no change to the REAL system).

Anyway, it might be worth reporting the above to the Comodo developers.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by languy99 on 27/11/2010, 10:29

I have VM ware to test the POC, how do you verify if it has done what it needs to do?
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 27/11/2010, 11:03

Okay, I thought I had explained it before, but it seems it's not clear enough. It took me a few minutes to work out what exactly was going on too (the web-site that hosts the POC has mostly information that I don't understand either). Anyway, let me try to explain the concept of what this POC allows a user to do:

1. The command prompt is a program that comes with pretty much all versions of Windows.
2. The command prompt allows the user to do many things, including execute programs.
3. From Windows 95 (or even 3.1?), Microsoft made it easier to execute programs - the "noob" user can simply point their mouse cursor over a file and double click on it.
4. This is much easier than using a command prompt to type in commands and execute the file. But, you still have the option of doing it this way.

Okay, now that we have that concept in mind, here's some more important information:

1. A Limited User Account would open a command prompt windows with limited user rights. With typical limited user rights, it generally means that new programs can't be installed (properly).
2. This means that if you opened a command prompt as a limited user, you wouldn't be able to successfully execute and install a file/program from this command prompt window.
3. As far as I understand it, with Windows Vista/7, even your personal "Administrator" account has "limited" rights by default, which is controlled by UAC - of course, if you click "Yes" to everything UAC throws up, you basically have the equivalent of full rights.
4. So for example, if you opened a command prompt window in Windows 7, you would have the rights of your "Administrator" user account which is by default controlled by UAC.
5. If you try to execute a program from the command prompt window, UAC should pop up a warning asking if you want the program to execute or not.
6. However, if your command prompt has system level rights (which you shouldn't have by default), you would bypass UAC, and be able to execute anything you like (via the command prompt window) with full rights.

Okay, so now that we have those concepts in mind, here's an educated way to test the POC:

1. With Windows 7, open a command prompt window
2. Type "whoami" and you should get something like this:

The blotted out areas represent the name of your user account.
3. Now execute the POC (poc.exe)
4. Now type in "whoami" again, and you will get this:

This now means that your command prompt (cmd.exe) is able to run with system level rights - bad news!


Last edited by ssj100 on 27/11/2010, 11:52; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by languy99 on 27/11/2010, 11:11

Thanks I'll test it right now.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by languy99 on 27/11/2010, 11:27

So this is what I found.

Running in the automatic sandbox, it gets bypassed in any other mode other then untrusted.

Running in the manual sandbox (right clicking and selecting run in sandbox) will also stop the POC.

avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 27/11/2010, 11:51

languy99 wrote:So this is what I found.

Running in the automatic sandbox, it gets bypassed in any other mode other then untrusted.
How do you mean by "other then untrusted"?

languy99 wrote:Running in the manual sandbox (right clicking and selecting run in sandbox) will also stop the POC.
I see, I didn't think that would make a difference. But I've just tested it out myself and it certainly blocks the POC. The slightly odd thing is that it appears to do it silently, and the Events log shows up nothing.

So just to double check, your conclusion is that CIS in absolute default configuration blocks the POC? If not, is this something worth mentioning to the Comodo developers?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by languy99 on 27/11/2010, 12:51

it was all tested in stock mode all I changed was the settings of the sandbox from partially limited all the way up to untrusted. It gets blocked in untrusted but not in any of the other.

And it gets blocked if you right click and run in sandbox. Why because comodo has two sandboxes. One is the automatic one which is more like an advanced UAC, it is a limiting sandbox, while if you right click on an app and run it, it is a full sandbox like sandboxie.

I have already sent some messages to the comodo dev team to have them look at it.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 27/11/2010, 13:05

Thanks for the clarifications languy99.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 27/11/2010, 13:30

Actually, I just tested it myself and I don't quite understand what you mean by changing the settings of the "sandbox from partially limited all the way up to untrusted". From what I can see, the sandbox setting only has two main options - Enabled or Disabled.

However, the "Image Execution Control Level" configures how Defense+ reacts to unrecognised files. You can select "Partially Limited" (which is default), "Limited", "Restricted", "Untrusted" or "Blocked".

I just tested it with "out of the box" settings, and changed "Partially Limited" to "Untrusted" and the POC still bypasses CIS. What do you think?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by languy99 on 27/11/2010, 13:44

those are the sandbox levels, but with a different name, those setting change what type of restrictions and automatic sandbox applies to the files it does not know about.

Also once you test it with one setting like partially limited to have to go to summary tab, click the number left of the sentence that says " unrecognized files observed/will be..." that will bring you to a window called unrecognized files, there you select the file and click the button marked remove.

If you don't it will remember what rule it used last time ( partially limited and such) and will not apply your new one (untrusted) to that file. Once you have removed it and set the level to where you want it you can test again.

In untrusted it will not even execute.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 27/11/2010, 14:25

languy99 wrote:In untrusted it will not even execute.
I see. However, this means that it's not really "sandboxing" - it's basically blocking something unknown from running. Anyway, that's not really important. What's really important is that Comodo successfully sandboxes the POC if you manually right click it to run sandboxed, but the POC bypasses Comodo's "automatic" sandbox.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by ssj100 on 29/11/2010, 10:21

By the way, Ilya has updated the latest DefenseWall Beta (3.09) to block this vulnerability more completely - I've just tested the latest Beta and certainly there is no more system instability following execution of the POC. I suppose that's pretty much Ilya admitting defeat, and also confirms the issues with DefenseWall I posted above. At least Ilya has fixed it now - great support as usual.

However, this is yet another ("zero-day") vulnerability that DefenseWall has failed in blocking/containing cleanly, whereas both GeSWall and Sandboxie hold strong.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by aigle on 1/12/2010, 21:04

ssj100 wrote:DefenseWall 3.09 Beta: After executing the POC as "Untrusted", the entire system freezes for a period of time. Then, the system appears to reboot itself and a BSOD error comes up once back in Windows. A rights level check in command prompt shows that the user rights have not changed, and therefore DefenseWall prevented the POC's main aim. However, DefenseWall users may not enjoy the spontaneous system freeze and BSOD caused by this POC.


Hmmm... not sure if DW is protecting against this exploit or not as system was rebooted. In my testing if I run the POC and just reboot the PC, the user rights are fixed back to normal automatically.
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: 0-day exploit speaks Chinese, bypasses UAC

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum