Jump to content

Windows 0-day vulnerability bypasses UAC


nsane.forums

Recommended Posts

Winrumors has reported that a new 0-day vulnerability affecting Windows XP, Vista and 7 has been discovered. The vulnerability resides in win32k.sys, "the kernel mode part of the Windows subsystem." This exploit allows user priviledge elevation, enabling even limited accounts to execute arbitrary code.

Marco Giuliani of Prevx has stated that no malware is currently exploiting this flaw, but also warned that it would be "very soon" before malware authors begin exploiting the vulnerability.

The API in which the vulnerability is located does not correctly validate input, resulting in stack overflow. This means that an attacker could control the destination of the "overwritten return address" and in essence execute their code with kernel mode privileges. Since this exploits user elevation, it bypasses UAC and leaves Vista and 7 vulnerable. This is specifically important due to the fact that UAC was originally implemented to prevent unauthorized privilege elevation.

Prevx is well known for mistakenly stating, last year, that Windows Update was creating a "black screen of death." It was later revealed that the black screen was caused by a malware infection, rather than an oversight or mistake on Microsoft's part.

Microsoft has confirmed that they are evaluating this vulnerability so a fix could be in the works.

view.gif View: Original Article

Link to comment
Share on other sites


  • Replies 4
  • Views 797
  • Created
  • Last Reply
  • Administrator

May well see a emergency out of schedule update.

Link to comment
Share on other sites


Various security vendors warned today about the public availability of exploit code for a previously unknown Windows privilege escalation vulnerability that can be used to bypass UAC.

The vulnerability was disclosed on a programming portal called CodeProject, but the page has since been removed by the site's administrators.

The flaw is located in the Windows kernel-mode device driver (win32k.sys) and allows attackers with limited access to execute code as SYSTEM.

According to BitDefender, the vulnerable API is called RtlQueryRegistryValues and can be exploited by creating a malformed registry key.

An important aspect of this vulnerability is that it allows bypassing the User Access Control (UAC), a security feature designed to prevent the execution of unauthorized code in Windows 7 and Vista.

Despite the initial disclosure page being taken down, proof-of-concept exploit code has already made it's way onto exploit-db.com and is currently available to anyone interested in it.

Giving the nature of the vulnerability, antivirus vendors expect to see it exploited in malware attacks very soon. Microsoft has yet to comment on the issue.

One malware that made use of similar elevation of privilege (EoP) flaws in Windows is the infamous Stuxnet industrial espionage worm discovered earlier this year.

In fact, one of the two EoP vulnerabilities leveraged by Stuxnet remains unpatched to this day. Earlier this week we reported that exploit code for it has also been publicly released.

Chester Wisniewski, a senior security advisor at Sophos, notes that one possible mitigation involves setting the user's permissions for the "HKEY_USERS\[ACCOUNT_SID]\EUDC" registry key to Deny Delete and Create Subkey. The SID can be determined by typing "whoami /user" in a command prompt window.

With this new announcement, Microsoft currently has three zero-day vulnerabilities on its hands. In addition to the Stuxnet EoP, a critical Internet Explorer arbitrary code execution flaw is also being exploited in the wild.

link

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...