0patch Blog

Wednesday, September 13, 2023

Micropatches Released For Windows Error Reporting Service Elevation of Privilege (CVE-2023-36874)

With July 2023 Windows Updates, Microsoft brought a fix for CVE-2023-36874, a local privilege escalation vulnerability in Windows Error Reporting Service that was found both by Google TAG and CrowdStrike to be exploited in the wild in the previous month.

When security researcher Filip Dragovic released a proof of concept for this issue, we could reproduce it and start working on a patch.

The Vulnerability

In short, the Windows Error Reporting Service has a number of functions exposed via its RPC interface, so a local process can ask it to submit a chosen error report via function SubmitReport. This function impersonates the calling process' user and at some point launches wermgr.exe, one of the WER executables. Normally, wermgr.exe would be launched from C:\Windows\System32\, but since the service is impersonating the caller (i.e., the attacker), the CreateProcess function honors any symbolic links the caller may have in place. The attacker can, for instance, create a symbolic link mapping C:\ to an arbitrary location such as C:\Users\public\test , which will be used by the CreateProcess call. Consequently, the WER service would launch C:\Users\public\test\Windows\System32\wermgr.exe, attacker's executable with the same name - and according to the documented behavior of CreateProcess, the executable would be launched with the token of the service (not the impersonation token). In other words: as Local System.

The Official Patch

Microsoft's fix for this issue was very simple: they effectively disabled the SubmitReport function by immediately returning error "Not implemented" (0x80004001). This means that it is no longer possible to submit an error report via RPC - and perhaps this was never really needed anyway.

Our Micropatch

Our micropatch is logically identical to Microsoft's, and produces the same behavior.

MODULE_PATH "..\AffectedModules\wercplsupport.dll_10.0.17134.1967_Win10-1803_32-bit_u2021-05\wercplsupport.dll"
PATCH_ID 1488
PATCH_FORMAT_VER 2
VULN_ID 7774
PLATFORM win32

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x82ac
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT wercplsupport.dll!0x82eb
    code_start

        mov eax, 80004001h   ; Error code for "Not Implemented"
        jmp PIT_0x82eb       ; Jump directly to end of function

    code_end
patchlet_end

Let's see our micropatch in action. With 0patch disabled, the POC manages to create a new user "test" on the computer by launching a fake C:\Users\public\test\Windows\System32\wermgr.exe. With 0patch enabled, the POC fails to do that because wermgr.exe is not being launched from function SubmitReport at all.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803

We were unable to reproduce this issue on Windows 7 and Server 2008 R2, and believe it is not exploitable there.

Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Filip Dragovic for sharing their proof of concept, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

Wednesday, September 6, 2023

Micropatches Released For Windows Search Remote Code Execution (CVE-2023-36884)

Alongside July 2023 Windows Updates, Microsoft revealed the existence of a 0day that was detected in the wild and assigned it CVE-2023-36884. Without issuing a patch, they titled their original advisory "Office and Windows HTML RCE vulnerability" as exploitation was performed using malicious Word documents, and provided workarounds that could block exploitation.

Very little information was publicly available and exploit samples that were referenced by those who claimed to be in the know seemed convoluted, comprising numerous exploits of old known vulnerabilities. The main source of useful information was security researcher Will Dormann who invested a great deal of effort in publicly dissecting many of these samples and reviewing numerous sources to meticulously separate the wheat from the chaff (see his super long Twitter thread).

In absence of sufficient information on the vulnerability itself, we initially decided to issue a patch that implemented one of the most effective workarounds recommended by Microsoft - the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION mitigation for all Office executables. This patch - free for everyone as the issue was still an unpatched 0day - enabled said workaround on all 0patch customers' computers so they didn't have to do that manually (or even know about this 0day).

The Official Patch

In August, Microsoft finally provided a patch for CVE-2023-36884, and updated their advisory to reveal that the issue lied in Microsoft Search and that "An attacker can plant a malicious file evading Mark of the Web (MOTW) defenses which can result in code execution on the victim system."

This, combined with Will's analysis of the changed behavior in Windows ZIP file extraction (mostly the latter, really), led us to conclusion that Microsoft's patch for CVE-2023-36884 was focused on randomizing the temporary path where files from a ZIP archive are extracted. Before the August update, a file.txt file opened directly from an archive.zip ZIP file would be extracted to a location like:

C:\Users\username\AppData\Local\Temp\Temp1_archive.zip\file.txt

For a local exploit script running on user's computer this is a predictable location, and if extraction process was terminated by exploit code at the right time, Windows would not put the Mark of the Web (MotW) on the file even if the ZIP file came from the Internet and should not be trusted. The absence of this mark on the extracted file would later result in no security warning when the file was opened. (In the actual exploit, the extracted file would be an executable launched without any warning.)

After the August Windows Update, file extraction was different. The same file would be extracted to this location:

C:\Users\username\AppData\Local\Temp\Temp1710d72f-7438-40d0-be9b-52f7e0651fe9_archive.zip\file.txt

Whereby the added GUID part is random and different each time. This blocks exploitation because the exploit code cannot guess the correct path of the extracted file and can therefore not launch it.

We located Microsoft's patch that introduced this change in zipfldr.dll, inside the CTempFileNameArray::_TryCreatingInPath function.

Our Micropatch

Our micropatch is logically identical to Microsoft's, and produces the same behavior with extracted files.

PATCH_ID 1487
PATCH_FORMAT_VER 2
VULN_ID 7772
PLATFORM win64

patchlet_start
   PATCHLET_ID 1
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x18514
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 5
   PIT zipfldr.dll!0x180a0,zipfldr.dll!0x186ad,rpcrt4.dll!UuidCreate,rpcrt4.dll!RpcStringFreeW,rpcrt4.dll!UuidToStringW
   ;zipfldr.dll!0x180a0 __int16 *ConstructString(HINSTANCE, unsigned int, ...)
   ;zipfldr.dll!0x186ad ErrorBlock

   code_start

        sub rsp, 0x50             ;Create shadowspace and 2 variables

        mov [rsp+0x48], rcx     ;Save rcx
        mov [rsp+0x40], rdx       ;Save rdx
        mov [rsp+0x38], r9        ;Save r9


        lea rcx, [rsp+0x28]       ;Move var1 to rcx to receive UUID
        call PIT_UuidCreate       ;Call UuidCreate
        cmp eax, 0                ;Check if call succeeded
        jne ERROR                 ;Jump to error block if result != 0

        lea rdx, [rsp+0x20]       ;Move var2 to rdx to receive pointer to UUID_STRING
        lea rcx, [rsp+0x28]       ;Move var1 with UUID to rdx
        call PIT_UuidToStringW    ;Call UuidToStringW to convert UUID on var1 to UUID_STRING and move it to var2
        cmp eax, 0                ;Check if the call succeeded
        jne ERROR                 ;Jump to error block if result != 0

        mov rcx, [rsp+0x48]       ;Restore rcx
        mov rdx, [rsp+0x40]       ;Restore rdx
        mov r9, [rsp+0x38]        ;Restore r9
        mov r8, [rsp+0x20]        ;Replace r8 with UUID_STRING from var2
        call PIT_0x180a0        ;Call ConstructString that output a full path pointer to rax
        mov qword[rsp+0x38], rax ;save rax for later

        lea rcx, [rsp+0x20]       ;Get the pointer to UUID_STRING from var2 and move it to rcx
        call PIT_RpcStringFreeW   ;Free the UUID_STRING buffer

        mov rax, [rsp+0x38]       ;Restore rax we saved earlier

        jmp END                   ;Continue normal execution

   ERROR:                        ;Error block
        add rsp, 0x50             ;Restore the stack pointer
        jmp PIT_0x186ad           ;Jump to the error block

   END:                        ;Normal execution
        add rsp, 0x50             ;Restore stack pointer

   code_end

patchlet_end

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803
Windows 7 (without ESU, with ESU year 1, 2 and 3)
Windows Server 2008 R2 (without ESU, with ESU year 1, 2 and 3)

Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

We would like to thank Will Dormann for his extensive analysis of exploit samples, related publications, and Microsoft's patch, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

Tuesday, August 8, 2023

Three More Years of Critical Security Patches for Windows Server 2012 and Windows Server 2012 R2

Can't upgrade your Windows Server 2012 to a newer windows server? No problem.

As an on-premises Windows Server 2012 user, you probably know that Microsoft plans to end its support this October. This means no more Windows updates, including security fixes, and the chilling prospect of your servers becoming progressively vulnerable as new security issues are inevitably going to be discovered.

If you're lucky enough to be an "eligible customer with Software Assurance under an Enterprise Agreement", you will be able to purchase up to 3 years of Extended Security Updates (ESU) from Microsoft for an annual cost equal to "100% of full license price annually".

Those of you who aren't eligible or have other reasons not to purchase ESU, but want to keep using your servers securely - we have good news for you!

Remember Windows Server 2008 R2 going out of support more than three years ago? Well, we security-adopted it and have thousands of customers still running this server securely with our security patches today. Meanwhile, the three-year ESU period for Server 2008 has already ended for on-premises servers, and we committed to continuing our support for at least two more years.

Now we'll do the same for Windows Server 2012 and Windows Server 2012 R2, starting with three years of critical security patches that will last until October 2026. In contrast to Windows Server 2008 where we only security-adopted the R2 version, we're seeing a sufficient interest in non-R2 version of Server 2012 to add it to the list of our security-adopted products.

If you're new to 0patch and our security patches, we have a lot of information in our Help Center but here's a quick overview:

0patch provides critical security patches for vulnerabilities that are likely to be exploited.
Our tiny patches (usually just a few CPU instructions) get applied in memory of running processes; we don't change original executable files.
Patches get applied and un-applied instantly, without restarting the computer.
Apart from critical security patches for vulnerabilities Microsoft will patch on still-supported Windows versions, you will also get our "0day" patches for vulnerabilities that don't yet have official security patches.
0patch Central allows for central management of all 0patch Agents.
0patch costs a fraction of the cost of Extended Security Updates. (Consider Pro plan for a single server, and Enterprise plan for multiple servers with central management.)

To use 0patch on Windows Server 2012 after October 2023, you will need to:

Create a 0patch account if you don't have one yet.
Install the last available, i.e., October 2023, cumulative Windows Update for Windows Server 2012. (This is very important, our patches will be targeting these exact versions of Windows executables.)
Install 0patch Agent on the server and register it to your 0patch account. (See 0patch Agent user manual for instructions on silent deployment and auto-registration in selected group.)
Make sure to have a suitable number of licenses in your 0patch account: each computer with a registered 0patch Agent needs one license.

October is getting close - start testing 0patch in your environment now to iron out the wrinkles without too much rush. To start a free trial, create a free account in 0patch Central, then let us know at sales@0patch.com which email you used for that so we can issue a couple of trial licenses to your account.

Frequently Asked Questions

Q: How long do you plan to provide critical security patches for Windows Server 2012 after October 2023?

A: For at least three more years - until October 2026. Depending on the demand, we'll consider an extension.

Q: How many vulnerabilities have you patched for Windows Server 2008 R2 and Windows 7 since January 2020?

A: Since January 2020 when we "security-adopted" Windows 7 and Windows Server 2008 R2, we have issued patches for 67 critical security issues on these systems that were at high risk of being exploited. Many of them were later actually confirmed to be exploited in the wild and even more of them became part of various exploit kits that even a low-budget attacker could easily use against unpatched systems.

Q: Are your micropatches actual code patches or "virtual patches"?

A: Our patches are actual code patches; we add a couple of CPU instructions to the original (vulnerable) executable code to remove the vulnerability. Such patches cannot be bypassed, which literally any other exploit protection mechanisms - including virtual patches - can be.

Q: Will we be able to continue using Microsoft Edge securely on Windows Server 2012 after October 2023?

A: We have also security-adopted Microsoft Edge in January 2023, so you'll be able to keep using Edge securely even though it won't get updated by Microsoft anymore. We're also still providing security patches for Internet Explorer, which is still effectively part of the operating system.

Q: We'd like to see a demo.

A: Send an email to sales@0patch.com and provide your company name and time zone so we can suggest a couple of dates for the demo.

Q: We'd like to set up a trial.

A: Create a free account in 0patch Central, then let us know at sales@0patch.com which email you used for that so we can issue a couple of trial licenses to your account.

Q: We have more questions about 0patch.

A: Our Help Center has a lot of answers but if you can't find yours there, feel free to contact us at sales@0patch.com.

Friday, July 14, 2023

Micropatches Released For Denial of Service in Microsoft Message Queuing (CVE-2023-28302, CVE-2023-21769)

April 2023 Windows Updates brought fixes for a number of vulnerabilities in Microsoft Message Queuing Service. We first issued patches for the "Queuejumper" remote code execution vulnerability (CVE-2023-21554) as its POC became available. Subsequently, we got access to POCs for two additional issues in Microsoft Message Queuing Service: CVE-2023-21769 and CVE-2023-28302, both being remote denial-of-service issues.

While still-supported Windows systems have already received the official vendor fix for these vulnerabilities, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for these vulnerabilities, which are available through the 0patch service.

Our patches for these issues are similar to Microsoft's. Because the new patch for CVE-2023-28302 is in the same place as our previous patch for CVE-2023-21554, we had to revoke the latter and issue a combined patch for CVE-2023-21554 and CVE-2023-28302. (Which, of course, doesn't require our users to do anything as it all happens automatically.)

Micropatch Availability

These micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1
Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803
Windows 7 (without ESU, with ESU year 1, and with ESU year 2)
Windows Server 2008 R2 (without ESU, with ESU year 1, and with ESU year 2)

Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

Friday, June 30, 2023

Micropatches Released For DHCP Server Service Remote Code Execution (CVE-2023-28231)

April 2023 Windows Updates brought a fix for CVE-2023-28231, a remote code execution vulnerability in DHCP Server service. The vulnerability was reported to Microsoft by security researcher YanZiShuang.

Subsequently, Numen Cyber published a POC and DarkRelay Security Labs published their analysis, both of which allowed us to reproduce the issue and create a micropatch for Windows computers that haven't received an official fix from Microsoft.

The vulnerability only affects Windows servers with DHCP Server installed, and resides in the way DHCP Server processes relay-forwarded messages, whereby a message claiming to have been forwarded by more than 32 intermediate DHCP servers breaks the code's assumptions and causes memory corruption.

While still-supported Windows servers have already received an official vendor fix for this vulnerability, Windows Server 2008 R2 isn't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatch for this vulnerability, which is available through the 0patch service.

Our patch is logically identical to Microsoft's.

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows Server 2008 R2

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

We'd like to thank Numen Cyber for sharing their POC, and DarkRelay Security Labs for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

Micropatches Released For Windows Task Scheduler Elevation of Privilege (CVE-2023-21541)

January 2023 Windows Updates brought a fix for CVE-2023-21541, a local privilege elevation in Task Scheduler. The vulnerability was reported to Microsoft by Ben Lincoln of Bishop Fox.

In April, Ben published a detailed analysis of this issue, which allowed us to reproduce the issue and create a micropatch for Windows computers that haven't received an official fix from Microsoft.

The vulnerability is easy to understand: if a scheduled task contains an environment variable in its executable path, expansion of this variable may result in double quotes around the path being lost, which could then lead to the "unquoted path" vulnerability.

On the other hand, the issue is not so easy to exploit, assuming that the local attacker does not have administrative privileges (why would they need a local privilege elevation vulnerability if they did?). The first condition is that a scheduled task must already exist on the system whose path to the executable contains an environment variable, and the second condition is that the attacker is able to create a malicious executable called program.exe in the root of C: drive. The latter is, by default, only allowed for administrators and system, so the computer would have to be in some custom configuration.

Nevertheless, we decided to patch this, since at least a couple of our users may have both these conditions fulfilled. While still-supported Windows systems have already received the official vendor fix for this vulnerability, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patch is functionally similar to Microsoft's, but in our case applying the patch doesn't require a restart of the Task Scheduler service (while Microsoft's does).

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803

Windows 7 and Server 2008 R2 are not affected by this issue.

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

We'd like to thank Ben Lincoln of Bishop Fox for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

Wednesday, June 21, 2023

New 0patch Central, New Security Features

Dear 0patch friends,

We're happy to share with you that four new highly asked-for features have been added to 0patch Central:

Multi-factor Authentication

You can now protect your 0patch account with multi-factor authentication (MFA). Use any authenticator app to configure MFA in your user profile and store recovery codes in a safe place in case you lose access to the app. This feature is available in Free, Pro, and Enterprise accounts.

Authentication Options

Select which authentication methods can be used for logging in to 0patch Central; choose between "Email and Password" and "Single sign-on", and specify whether multi-factor authentication ("MFA") is required for all users in the account. Find this feature under Account -> Security in Enterprise accounts.

Password Policy

Set the password policy for users in your account; users will be forced to change their password upon next login if needed. Find this feature under Account -> Security in Enterprise accounts..

IP Address Restrictions

Specify a set of IP addresses or subnets from which your 0patch Central account can be accessed. This setting does not affect 0patch Agents - they can always sync from anywhere. Find this feature under Account -> Security in Enterprise accounts..

Upcoming Security-Adoption of Windows Server 2012

In the spirit of supporting legacy Windows versions and Microsoft products, we're happy to announce an upcoming adoption of Windows Server 2012, which goes out of official support in October 2023. If you're using Windows Server 2012 and would like to keep doing so securely, contact us at sales@0patch.com.

Are your friends or peers operating Windows systems? Do them a favor and tell them about 0patch.

Thank you!

Your 0patch Team