قالب وردپرس درنا توس
Home / Technology / A look at the Windows 10 exploit Google Zero revealed this week

A look at the Windows 10 exploit Google Zero revealed this week



On Tuesday, Tavis Ormandy of Google's Project Zero released an exploit kit called ctftool that uses and abuses the Microsoft Text Services Framework to effectively root anyone ] - ie System - on any unpatched Windows 10 system you can log in to. The patches for this vulnerability, as well as some other serious issues, have been released in this week's Patch Tuesday update.

We independently verified Ormandy's proof-of-concept, and that's what's written on paper: Follow the instructions and you'll get a privileged prompt for nt authority system a few seconds later. We also independently verified that the application of KB4512508 closed the vulnerability. After the security updates for August are installed, the exploit will stop working.

The full description of Ormandy's results is intriguing and technically incredibly detailed. At the TL; DR version is the Microsoft Text Services Framework that is used to provide multilingual support and has been available since Windows XP. It contains a library named MSCTF.DLL . (There is no clear documentation that shows what Microsoft CTF should stand for, but with the release of this tool, it could be Capture The Flag.)

The Text Services Framework must monitor and modify user input in application windows to provide language services such as Simplified Chinese (Pinyin). If you install language support for Pinyin, you can see this in action. If the language is set to pinyin, you can enter any window, and suggestions for Chinese characters that match either your phonetic spelling (or whole words you've typed in English) appear in a submenu.

The characters in this window The submenu can be quickly selected using keyboard shortcuts that will replace the characters you type with the Chinese characters you have selected.

Ormandy did not start looking for problems in the Text Services Framework - all he really was looking for was confirmation that he could not send messages between processes from a non-privileged process to a privileged process. However, when he wrote a test case to send all sorts of messages to a Notepad.exe instance running as an administrator, he found that this was not the case: some of his inter-process messages went through unexpectedly.

If I send any possible message to a privileged window of an unprivileged process, the list should match the whitelist in win32k! IsMessageAlwaysAllowedAcrossIL and I can move on to something else.

Ah, I was so naive.

Tavis Ormandy, Google Project Zero

After Ormandy had identified the culprit as MSCTF.DLL the next step was to find out what could be done with it. As he found out, the answer was "pretty much anything you want." The CTF protocol is an older system from 2001 with Office XP that even supports Windows 98. It was available with the base system as of Windows XP. The protocol did not implement any access control at all - even sandbox processes were able to connect to a CTF session outside of their sandbox. Clients report their thread ID, process ID, and window handle - but there was no validation and nothing prevented such a client from going through their teeth to get what they want Every function pointer in the referenced program ... and the CTF protocol catches exceptions . A client can effectively attack a target he does not know very well, without it crashing. You might think that address space layout randomization - a modern security technique that makes it harder to predict where vulnerable parts of an application are in memory - would make things harder. Unfortunately, you would be wrong, because the CTF marshaling protocol has told you where the monitor's stack is.

This would bring you to the monitor, but not yet in the client app that you actually wanted to own. This process requires repeated trial and error, but this trial can be automated in a script. That's exactly what Ormandy's proof-of-concept script did. When you run ctf-consent-system.ctf in the tool, a UAC dialog box is created with the verb runAs and the command shellExecute () . Once the UAC dialog is in place, ctftool uses the CTF framework to connect, test the connection, and allocate the stack. This takes a few seconds. Once this is done, it will call the internal function in consent.exe . This indicates that a local user has successfully entered the requested credentials - and Bob is your uncle. You have an instance of cmd.exe that is run as nt authority system .

We have gone through Tavis Ormandy's demonstration application of ctftool . Yes, System Privileges in Seconds; no excitement, not a must. We had no additional languages ​​installed or no non-standard settings; This was a brand new Windows 10 Build 1903 VM. (We had to install the Microsoft Visual C x86 runtime environment, but it is already present on almost every real system.)

This vulnerability lurked undetected in the Windows stack for 20 years, and the consequences were even greater than the proof-of Concept Exploit - CTF can even be used on non-patched systems to bypass the AppContainer isolation used in the latest and probably the most secure applications, such as Microsoft Edge.

Listing Image by Rich Graessle / Icon Sportswire / Corbis on Getty Images


Source link