A local privilege escalation flaw in Windows is worrying and it is bad news if exploit code is readily available. What’s even worse is when no software patch exists and there are no mitigations or workarounds to deploy while waiting for one.
That was the situation for many Windows administrators this week when a security researcher with the handle @SandboxEscaper publicized a local privilege execution vulnerability affecting the Advanced Local Procedure Call (ALPC) interface in Windows Task Scheduler (VU#906424) on Twitter and released a proof of concept on GitHub. The flaw lets a User account gain the privileges for a high-level System account.
The researcher did not notify Microsoft before publishing the proof-of-concept, which means Microsoft does not have an update to address the flaw, let alone an advisory discussing the vulnerability. Microsoft appears to be aware of the security flaw, as the company has released the following statement: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.” The next official patch release is set for Sept. 11, but it is not clear at this time whether an update for this vulnerability would be available on that date.
“The CERT/CC is currently unaware of a practical solution to this problem,” wrote Will Dormann, a vulnerability analyst with the Computer Emergency Response Team (CERT), who published an official CERT advisory after the vulnerability was posted on Twitter. Dormann said that while the proof-of-concept was for 64-bit versions of Windows 10 and Windows Server 2016, it could be used to target other 32-bit versions of Windows 10 “with minor modifications” and other Windows versions with “further modifications.”
The fact that this vulnerability can be exploited reliably and that attack code already exists puts Windows administrators in a bind because there is no official guidance on what to do. To address this gap, security consultancy Acros Security released code that can block attempts to exploit this flaw on Windows 10 and Windows Server 2016 systems on its 0patch platform.
Acros calls the code a micropatch, and it is designed to act as a hotfix that can be applied and removed quickly without impacting users. After the micropatch is downloaded from the server and stored on the machine, the code resides in memory and waits for a running process to load the exploit it was designed to block. The micropatch kicks in only when a process runs that exact exploit.
A “0patch loader" component is “in charge of intercepting every module load event and applying all micropatches for that module in memory before any code from that module gets executed,” Acros CEO Mitja Kolsek said.
“Windows update simply replaces the vulnerable executable that we have a micropatch for with a corrected executable that has a different cryptographic hash."
A Windows-internal mechanism, the ALPC interface allows client processes running within the operating system to ask a server process to provide some information or perform an action. The issue exists in an improperly secured API in the TaskScheduler service and allows an attacker with access to overwrite most files on the system, and when that file is loaded into a privileged System-level process, the contents of the file executes with the higher privileges. The proof-of-concept overwrote a file used by the printing subsystem on Windows so that if a user tried to print something, the operating system executed the attack code in the file with higher privileges.
Since all code changes by the micropatch are done in memory, none of the files on the system get changed. This means all signatures on files remain valid so any integrity checks will remain unaffected, Kolsek said. When the Windows administrator eventually installs the official Windows update, the patch doesn't conflict with the micropatch.
“Windows update simply replaces the vulnerable executable that we have a micropatch for with a corrected executable that has a different cryptographic hash,” Kolsek said. “One simply applies Windows updates just as if 0patch wasn't there, and since the vulnerable executable is no longer getting loaded in memory, there is nothing there to micropatch.”
These small updates—this one is a mere 13 bytes—can complement official vendor updates or address issues that won’t receive official patches. Administrators interested in this micropatch would first need to install the 0patch Agent client but existing users should be able to see the micropatch automatically. And administrators don't have to worry about rolling back any code post-patch.
There is a lag time between when security updates become available and when enterprise IT teams finish testing and rolling them out into their environments. These micropatches are supposed to bridge that time interval so that enterprises can be protected while official patches are being tested.
There have been no attacks exploiting this vulnerability observed in the wild. It also helps that the severity of the zero-day vulnerability was limited by the fact that the targeted computer has to already be compromised and the attacker has to have access to a local account before exploiting the flaw. However, a user with local account privileges can exploit the flaw to then gain high-level privileges. An attacker could chain this privilege escalation flaw with a different bug, or trick a user into clicking on a phishing email or downloading malware.
This kind of privilege-escalation flaw can be used to break out of sandboxes and gain control of the system.
Acros has also released the code it used so that administrators reluctant to get the micropatch can write their own code fix while waiting for Microsoft. This is one of those times when administrators don't have to wait for an official patch to defend themselves from potential attacks.