The world woke up Tuesday to two new vulnerabilities – one in Windows and the other in Linux – that allow hackers with a grip on a vulnerable system to bypass the operating system’s security restrictions and access sensitive resources.
As operating systems and applications become harder to hack, successful attacks usually require two or more vulnerabilities. A vulnerability allows the attacker to access privileged operating system resources on which code can be executed or sensitive data can be read. A second vulnerability increases code execution or file access to operating system resources reserved for password storage or other sensitive operations. Accordingly, the value of so-called Local Privilege Escalation Vulnerabilities has risen in recent years.
The Windows vulnerability accidentally came to light on Monday when a researcher observed what he believed to be a coding regression in a beta version of the upcoming Windows 11. The researcher found that the contents of the Security Accounts Manager – the database that contains user accounts and security descriptors for users on the local computer – can be read by users with limited system permissions.
This made it possible to extract cryptographically protected password data, determine the password used to install Windows, obtain the computer keys for the Windows Privacy API – which can be used to decrypt private encryption keys – and create an account on the vulnerable computer . The result is that the local user can elevate permissions up to System, the highest level in Windows.
“I don’t yet fully understand the extent of the problem, but I think there are too many not to be a problem,” remarked researcher Jonas Lykkegaard. “So that nobody doubts what that means, it’s EOP to SYSTEM even for sandbox apps.”
yarh- for some reason the SAM file on Win11 is now READ for users.
So if you have shadow volumes enabled, you can read the sam file as follows:
I don’t yet know the full extent of the problem, but I think there are too many to not be a problem. pic.twitter.com/kl8gQ1FjFt
– Jonas L (@jonasLyk) July 19, 2021
People who responded to Lykkegaard indicated that the behavior wasn’t a regression introduced in Windows 11. Instead, the same vulnerability was present in the latest version of Windows 10. The US Computer Emergency Readiness Team said the vulnerability exists when the Volume Shadow Volume The Copy Service – the Windows feature that allows the operating system or applications to take “point-in-time snapshots” of an entire hard drive without locking the file system – is activated.
The counselor stated:
When a VSS shadow copy of the system drive is available, an unprivileged user can leverage access to these files to achieve a number of effects including, but not limited to:
- Extract and get account password hashes
- Discover the original Windows installation password
- Obtain DPAPI computer keys, which can be used to decrypt any private computer keys
- Obtain a computer account that can be used in a silver ticket attack
Note that VSS shadow copies may not be available in some configurations. However, if you have a system drive larger than 128GB and then you run Windows Update or install an MSI, it ensures that a VSS shadow copy is created automatically. To verify that a system has VSS shadow copies, run the following command from a privileged command prompt:
vssadmin list shadow
Researcher Benjamin Delpy showed how the vulnerability can be exploited to obtain password hashes of other sensitive data:
Q: What can you do when you have # mimikatz🥝 and some read access to Windows system files like SYSTEM, SAM and SECURITY?
A: Escalation of local permissions 🥳
Thanks @jonasLyk for this read access on standard Windows😘 pic.twitter.com/6Y8kGmdCsp
– 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
No patch is currently available. Microsoft representatives did not immediately comment on the report.
What about you, Linux kernel?
Most Linux versions meanwhile distribute a fix for a vulnerability revealed on Tuesday. CVE-2021-33909 allows an untrusted user to gain full system rights while tracking the vulnerability by creating, mounting and deleting a deep directory structure with a total path length of more than 1 GB and then opening / proc / and reading. self / mountinfo file.
“We have successfully exploited this uncontrolled out-of-bound writing and obtained full root privileges for standard installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 workstation”, researchers from Qualys, the security company that identified the security gap discovered and wrote proof-of-concept code that exploited it. “Other Linux distributions are certainly vulnerable and likely to be exploitable.”
The exploit described by Qualys involves significant overhead, particularly around 1 million nested directories. The attack also requires approximately 5 GB of memory and 1 million inodes. Despite the hurdles, a Qualys representative described the PoC as “extremely reliable” and said it took about three minutes to complete.
Here is an overview of the exploit:
1 / We mkdir () a deep directory structure (approximately 1 million nested directories), the total path length of which exceeds 1 GB, we bind it into an unprivileged username space and rmdir () it.
2 / We create a thread that vmalloc () loads a small eBPF program (via BPF_PROG_LOAD) and we block this thread (via userfaultfd or FUSE) after our eBPF program has been validated by the kernel eBPF verifier, but before it is JIT compiled by the kernel.
3 / We open () / proc / self / mountinfo in our unprivileged username space and start with read () to read the long path of our bind-mounted directory and write the string “// deleted” to an offset of exactly -2GB- 10B below the beginning of a buffer provided with vmalloc ().
4 / We ensure that this “// deleted” string overwrites an instruction from our validated eBPF program (and thus removes the security checks of the kernel eBPF verifier) and transform this uncontrolled out-of-bound writing process into information disclosure and into a limited but controlled writing outside of boundaries.
5 / We transform this limited out-of-bounds write into any read and write of the kernel memory by reusing Manfred Paul’s beautiful btf and map_push_elem techniques:
Qualys has a separate description here.
People who run Linux should check with the distributor to see if patches are available to fix the vulnerability. Windows users should wait for advice from Microsoft and outside security experts.