Patched Windows Kernel-Mode Driver Flaw Exploitable With One Bit Change

[metasploit2015]

The vulnerabilities addressed in this month’s Patch Tuesday security bulletins from Microsoft have been a mashup of critical bugs affecting most supported versions of Windows and Internet Explorer that could pave the way for attackers to gain complete control of affected systems.

Sounds like most months, for sure.

But what sets this month apart is the regular stream of disclosures from researchers in the hours and days following patches from Microsoft.

The latest surrounds MS15-010, a bulletin that patches six critical remote code execution, security bypass and privilege escalation bugs in the Windows kernel-mode driver. That bulletin includes a security feature bypass in CNG.sys, or the Cryptography Next Generation kernel-mode driver, disclosed by Google’s Project Zero research team. The vulnerability was out in the open for close to two weeks after Project Zero’s 90-day disclosure window expired.

Details on a privilege escalation vulnerability, CVE-2015-0057, in the Windows kernel GUI component, the Win32k.sys module, yesterday were shared by researchers at enSilo. According to CTO Udi Gavo, all versions of Windows are affected, including the Windows 10 Technical Preview, and attackers could exploit the bug and gain control over the compromised computer.

“A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization,” he said in a published report.

The vulnerability can be exploited by modifying one bit in Windows, the report said.

The exploit works, enSilo said, despite the presence of numerous kernel-level protections instituted by Microsoft, in particular in Windows 8.1. Kernel DEP, ASLR, SMEP and others are mitigations that prevent code execution within certain kernel regions, but some researchers have already developed bypasses.

EnSilo provides technical details on the vulnerability in its report, in particular an examination of the xxxEnableWndSBArrows function which enables and disables scrollbars in Windows.

“Through a single call, this function can alter the state of both scrollbars,” the report said. “It is precisely within this function wherein the vulnerability lies.”

On Tuesday, consultancy JAS Global Advisors released details on critical vulnerabilities in Group Policy that expose Windows users to man-in-the-middle attacks, remote code execution attacks, and security bypasses.

The Jasbug, as it was nicknamed, was reported in January 2014 but since it was a design issue rather than one related to an implementation, it required some re-engineering by Microsoft.

“The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device,” JAS said. “Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.”

JAS said that computers connecting over a virtual private network should be immune to compromise. Further mitigating the risk, JAS said, is that a number of scenarios have to be in place for exploits to work.

“It certainly doesn’t work universally and it depends on some funky misconfigurations and happenstance. But it works frequently enough to be of concern,” JAS said in its advisory.

Microsoft also addressed reports with a silent feature update in Visual Studio (KB3001652) that was causing Windows machines to lock up. The update has since been re-released after it was removed from Windows Update.

Sursa