The world woke up on Tuesday with two new vulnerabilities – one in Windows and the other in Linux – that allow hackers with a toe in a vulnerable system to bypass OS security restrictions and gain access to sensitive resources.
As operating systems and applications become more difficult to hack, successful attacks usually require two or more vulnerabilities. One vulnerability gives the attacker access to low-privileged OS resources, where code can be executed or sensitive data can be read. Another security issue is elevating the code execution or file access to OS resources reserved for storing passwords or other sensitive operations. The value of so-called vulnerabilities for the escalation of local privileges has consequently increased in recent years.
The Windows vulnerability was discovered by accident on Monday when a researcher observed what he thought was a coding regression in a beta version of the upcoming Windows 1
It made it possible to extract cryptographically protected password data, discover the password used to install Windows, obtain the computer keys of the Windows Data Protection API – which can be used to decrypt private encryption keys – and create an account on the vulnerable computer. The result is that the local user can elevate the privileges all the way to System, the highest level in Windows.
“I do not know the full extent of the problem yet, but there are too many to not be a problem I think,” said researcher Jonas Lykkegaard. “Just so no one is in doubt about what this means, there are EOP two SYSTEM for even sandboxed apps.”
yarh – for some reason on win11 the SAM file is now READ for users.
So if you have shadow volumes enabled, you can read the sam file as follows:
I do not know the full extent of the problem yet, but there are too many to not be a problem I think. pic.twitter.com/kl8gQ1FjFt
– Jonas L (@jonasLyk) July 19, 2021
People who responded to Lykkegaard pointed out that the behavior was not a regression introduced in Windows 11. Instead, the same vulnerability was present in the latest version of Windows 10. US Computer Emergency Readiness Team said that the vulnerability is present when Volume Shadow Copy Service – Windows – the feature that allows the operating system or applications to take “point-in-time snapshots” of an entire disk without locking the file system – is turned on.
The advisory explained:
If a VSS shadow copy of the system drive is available, a non-privileged user can use access to these files to obtain a variety of effects, including but not limited to:
- Unpack and take advantage of password hash
- Discover the original Windows installation password
- Obtain the DPAPI computer keys, which can be used to decrypt all the computer’s private keys
- Get a computer account that can be used in a silver ticket attack
Note that VSS shadow copies may not be available in some configurations; However, just having a system drive larger than 128 GB and then performing a Windows Update or installing an MSI, a VSS shadow copy will be created automatically. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:
vssadmin list shadows
Researcher Benjamin Delpy showed how vulnerability can be exploited to get password hash of other sensitive data:
Question: What can you do when you have #mimikatz🥝 and some read access on Windows system files such as SYSTEM, SAM and SECURITY?
A: Escalation of local privilege 🥳
Thank you @jonasLyk for this Read access on standard Windows😘 pic.twitter.com/6Y8kGmdCsp
– 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
There is currently no update available. A Microsoft representative said company officials are investigating the vulnerability and will take appropriate action as needed. The vulnerability is tracked as CVE-2021-36934. Microsoft said here that exploitation in nature is “more likely.”
And you, Linux kernel?
Most versions of Linux are deploying a solution to a vulnerability that was revealed on Tuesday. When the security flaw is detected, CVE-2021-33909 can allow an untrusted user to gain unlimited system privileges by creating, mounting, and deleting a deep directory structure with a total path length exceeding 1 GB and then opening and reading
“We successfully exploited this uncontrolled out-of-bounds writing and got full root privileges on standard installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 Workstation,” said researchers at Qualys, the security firm that discovered the vulnerability. and created proof-of-concept code that utilizes it, wrote. “Other Linux distributions are absolutely vulnerable and likely to be exploited.”
The described utilization of Qualys comes with significant overhead, especially about 1 million nested directories. The attack also requires about 5 GB of memory and 1 million inodes. Despite the obstacles, a Qualys representative described PoC as “extremely reliable” and said it takes about three minutes to complete.
Here is an overview of the utilization:
1 / We mkdir () a deep directory structure (approximately 1M nested directories) whose total path length exceeds 1 GB, we bind-mount it in an unprivileged username area and rmdir () it.
2 / We create a thread that vmalloc () ates a small eBPF program (via BPF_PROG_LOAD), and we block this thread (via userfaultfd or FUSE) after our eBPF program is validated by the core eBPF verifier, but before JIT compiled by the kernel.
3 / We open () / proc / self / mountinfo in our unprivileged username area and start reading () the long path to our bind-mounted directory, thereby writing the string “// deleted” to an offset of exactly -2 GB-10B below the beginning of a vmalloc () atert buffer.
4 / We make sure that this “// deleted” string overwrites an instruction of our validated eBPF program (and therefore removes the security checks of the core eBPF verifier) and turns this unchecked out-of-bounds into information information and into a limited, but controlled writing outside the boundaries.
5 / We transform this limited writing beyond the boundaries of a random read and write of core memory by reusing Manfred Paul’s beautiful btf and map_push_elem techniques from:
Qualys has his own writing here.
People running Linux should contact their distributor to find out if updates are available to resolve the vulnerability. Windows users should seek advice from Microsoft and external security experts.