Google Project Zero discloses high severity elevation of privilege flaw in Windows

[Karlston]

Google Project Zero discloses high severity elevation of privilege flaw in Windows

Google Project Zero is quite well-known for discovering vulnerabilities in the software developed by the company itself as well as those built by other firms. Its methodology involves identifying security flaws in software and privately reporting them to vendors, giving them 90 days to fix them before public disclosure. Depending upon the complexity of the fix required, it sometimes also offers additional days in the form of a grace period.

 

The security team has discovered and disclosed multiple security flaws in the past few years following the vendor's inability to patch them in a timely manner. This includes Qualcomm's Adreno GPU drivers, Microsoft's Windows, Apple's macOS, and more. Now, it has publicly disclosed a security bug in Windows which, if exploited, can lead to elevation of privilege.

We'll try to spare you the nitty-gritty details as usual by presenting you a simplified meat-of-the-matter statement as follows: A malicious process can send Local Procedure Call (LPC) messages to the splwow64.exe Windows process, through which an attacker can write an arbitrary value to an arbitrary address in splwow64's memory space. This essentially means that the attacker controls this destination address and any contents that get copied to it.

 

The flaw in question isn't exactly new. In fact, a security researcher at Kaspersky reported it earlier this year and Microsoft patched it back in June. However, this patch has now been determined as incomplete by Google Project Zero's Maddie Stone, who says that Microsoft's fix only changes the pointers to an offset, which means that an attacker can still exploit it using the offset value.

 

The zero-day was reported privately to Microsoft by Google Project Zero on September 24, with the standard 90-day deadline set to expire on December 24. Microsoft initially planned to release a fix in November, but that release time frame then slipped to December. After that, it told Google that it had identified new problems in its testing, and it will now release a patch in January 2021.

 

On December 8, the two parties met to discuss progress and next steps, where it was determined that the 14-day grace period cannot be offered to Microsoft since the company plans to release the patch on Patch Tuesday on January 12, 2021, six days over the grace period deadline. Stone has stated that while she doesn't think that an incomplete fix deserves a new 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code. The technical report is unclear which versions of Windows this affects, but Kaspersky's report from a few months ago indicates that attackers have been using it to target new builds of Windows 10.

 

 

Google Project Zero discloses high severity elevation of privilege flaw in Windows

[aum]

Google's Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code.

 

Details of the unpatched flaw were revealed publicly after Microsoft failed to patch it within 90 days of responsible disclosure on September 24.

 

Originally tracked as CVE-2020-0986, the flaw concerns an elevation of privilege exploit in the GDI Print / Print Spooler API ("splwow64.exe") that was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in late December 2019.

 

But with no patch in sight for about six months, ZDI ended up posting a public advisory as a zero-day on May 19 earlier this year, after which it was exploited in the wild in a campaign dubbed "Operation PowerFall" against an unnamed South Korean company.

 

"splwow64.exe" is a Windows core system binary that allows 32-bit applications to connect with the 64-bit printer spooler service on 64-bit Windows systems. It implements a Local Procedure Call (LPC) server that can be used by other processes to access printing functions.

 

Successful exploitation of this vulnerability could result in an attacker manipulating the memory of the "splwow64.exe" process to achieve execution of arbitrary code in kernel mode, ultimately using it to install malicious programs; view, change, or delete data; or create new accounts with full user rights.

 

However, to achieve this, the adversary would first have to log on to the target system in question.

 

Although Microsoft eventually addressed the shortcoming as part of its June Patch Tuesday update, new findings from Google's security team reveals that the flaw has not been fully remediated.

 

"The vulnerability still exists, just the exploitation method had to change," Google Project Zero researcher Maddie Stone said in a write-up.

 

"The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy," Stone detailed. "The 'fix' simply changed the pointers to offsets, which still allows control of the args to the memcpy."

 

The newly reported elevation of privilege flaw, identified as CVE-2020-17008, is expected to be resolved by Microsoft on January 12, 2021, due to "issues identified in testing" after promising an initial fix in November.

 

Stone has also shared a proof-of-concept (PoC) exploit code for CVE-2020-17008, based off of a POC released by Kaspersky for CVE-2020-0986.

 

"There have been too many occurrences this year of zero-days known to be actively exploited being fixed incorrectly or incompletely," Stone said. "When [in the wild] zero-days aren't fixed completely, attackers can reuse their knowledge of vulnerabilities and exploit methods to easily develop new 0-days."

 

Source

[Karlston]

Similar topics merged.