Tuesday, July 23, 2024

Micropatches Released for Windows MSHTML Platform Spoofing (CVE-2024-38112)

 


July 2024 Windows Updates brought a patch for CVE-2024-38112, a vulnerability in Windows that allows an attacker to create a Windows Internet Shortcut file (extension .url) that will look exactly like a PDF document, while clicking on it opens attacker's web page in Internet Explorer. The problem there is that Internet Explorer, which is still present on Windows computers and integrated into many applications, is easier to exploit as it has no real sandbox.

This issue was reported to Microsoft by Haifei Li with Check Point Research, whose researchers noticed it being used by threat actors. Haifei later wrote an article detailing the vulnerability, demonstrating how a malicious executable could be executed using this trick. In addition, exploitation of the same issue was also detected in the wild by Trend Micro; they, too, reported it to Microsoft.

Microsoft patched this by deleting a small piece of code from ieframe.dll which allowed for Internet Explorer to be launched via a URL file.

Unsupported Windows versions that we have security-adopted were also affected by this issue, so we created a micropatch for them. Our micropatch is logically equivalent to Microsoft's, containing a single JMP instruction to jump over the code that Microsoft removed on supported Windows versions.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated with no ESU, ESU 1/2/3
  10. Windows Server 2008 R2 - fully updated with no ESU, ESU 1/2/3/4
 
Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central with a free monthly trial, then install and register 0patch Agent (link in 0patch Central). Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Haifei Li with Check Point Research for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

 

Thursday, June 27, 2024

Long Live Windows 10... With 0patch

End of Windows 10 Support Looming? Don't Worry, 0patch Will Keep You Secure For Years To Come!


 

October 2025 will be a bad month for many Windows users. That's when Windows 10 will receive their last free security update from Microsoft, and the only "free" way to keep Windows using securely will be to upgrade to Windows 11.

Now, many of us don't want to, or simply can't, upgrade to Windows 11.

We don't want to because we got used to Windows 10 user interface and we have no desire to search where some button has been moved to and why the app that we were using every day is no longer there, while the system we have is already doing everything we need.

We don't want to because of increasing enshittification including bloatware, Start Menu ads, and serious privacy issues. We don't want to have an automated integrated screenshot- and key-logging feature constantly recording our activity on the computer.

We may have applications that don't work on Windows 11.

We may have medical devices, manufacturing devices, POS terminals, special-purpose devices, ATMs that run on Windows 10 and can't be easily upgraded.

And finally, our hardware may not even qualify for an upgrade to Windows 11: Canalys estimates that 240 million computers worldwide are incompatible with Windows 11 hardware requirements, lacking Trusted Platform Module (TPM) 2.0, supported CPU, 4GB RAM, UEFI firmware with Secure Boot capability, or supported GPU.

 

What's going to happen in October 2025?

Nothing spectacular, really. Windows 10 computers will receive their last free updates and will, without some additional activity, start a slow decline into an increasingly vulnerable state as new vulnerabilities are discovered, published and exploited that remain indefinitely present on these computers. The risk of compromise will slowly grow in time, and the amount of luck required to remain unharmed will grow accordingly.

The same thing happened to Windows 7 in January 2020; today, a Windows 7 machine last updated in 2020 with no additional security patches would be really easy to compromise, as over 70 publicly known critical vulnerabilities affecting Windows 7 have been discovered since.

Leaving a Windows 10 computer unpatched after October 2025 will likely open it up to the first critical vulnerability within the first month, and to more and more in the following months. If you plan to do this, at least make sure to make the computer hard to access physically and via network.

For everyone else, there are two options to keep Windows 10 running securely.


Option 1: Extended Security Updates

If you qualify, Microsoft will happily sell you Extended Security Updates (ESU) , which means another year, two or even three of security fixes for Windows 10 - just like they have done before with Windows 7, Server 2008 and Server 2012.

At this moment, pricing for ESU is only known for commercial and educational organizations, while consumer pricing will be revealed at a later time. Educational organizations will have it cheap - just $7 for three years -, while commercial organizations are looking at spending some serious money: $61 for the first year, $122 for the second year and $244 for the third year of security updates, totaling in $427 for every Windows 10 computer in three years.

Opting for Extended Security Updates will keep you on the familiar monthly "update + reboot" cycle and it will only cost you $4 million if you have 10k computers in your network.

If only there was a way to get more for less...


Option 2: 0patch

With October 2025, 0patch will "security-adopt" Windows 10 v22H2, and provide critical security patches for it for at least 5 more years - even longer if there's demand on the market.

We're the only provider of unofficial security patches for Windows ("virtual patches" are not really patches), and we have done this many times before: after security-adopting Windows 7 and Windows Server 2008 in January 2020, we took care of 6 versions of Windows 10 as their official support ended, security-adopted Windows 11 v21H2 to keep users who got stuck there secure, took care of Windows Server 2012 in October 2023 and adopted two popular Office versions - 2010 and 2013 - when they got abandoned by Microsoft. We're still providing security patches for all of these.

With 0patch, you will be receiving security "micropatches" for critical, likely-to-be-exploited vulnerabilities that get discovered after October 14, 2025. These patches will be really small, typically just a couple of CPU instructions (hence the name), and will get applied to running processes in memory without modifying a single byte of original Microsoft's binary files. (See how 0patch works.)

There will be no rebooting the computer after a patch is downloaded, because applying the patch in memory can be done by briefly stopping the application, patching it, and then letting it continue. Users won't even notice that their computer was patched while they were writing a document, just like servers with 0patch get patched without any downtime at all.

Just as easily and quickly, our micropatches can be un-applied if they're suspected of causing problems. Again, no rebooting or application re-launching.

 

0patch also brings "0day", "Wontfix" and non-Microsoft security patches

But with 0patch, you won't only get patches for known vulnerabilities that are getting patched on still-supported Windows versions. You will also get:

  1. "0day" patches - patches for vulnerabilities that have become known, and are possibly already exploited, but for which no official vendor patches are available yet. We've fixed many such 0days in the past, for example "Follina" (13 days before Microsoft), "DogWalk" (63 days before Microsoft), Microsoft Access Forced Authentication (66 days before Microsoft) and "EventLogCrasher" (100+ days before Microsoft). On average, our 0day patches become available 49 days before official vendor patches for the same vulnerability do.

  2. "Wontfix" patches - patches for vulnerabilities that the vendor has decided not to fix for some reason. The majority of these patches currently fall into the "NTLM coerced authentication" category: NTLM protocol is more prone to abuse than Kerberos and Microsoft has decided that any security issues related to NTLM should be fixed by organizations abandoning their use of NTLM. Microsoft therefore doesn't patch these types of vulnerabilities, but many Windows networks can't just give up on NTLM for various reasons, and our "Wontfix" patches are there to prevent known attacks in this category. At this time, our "Wontfix" patches are available for the following known NTLM coerced authentication vulnerabilities: DFSCoerce, PrinterBug/SpoolSample and PetitPotam.

  3. Non-Microsoft patches - while most of our patches are for Microsoft's code, occasionally a vulnerability in a non-Microsoft product also needs to be patched when some vulnerable version is widely used, or the vendor doesn't produce a patch in a timely manner. Patched products include Java runtime, Adobe Reader, Foxit Reader, 7-Zip, WinRAR, Zoom for Windows, Dropbox app, and NitroPDF.

While you're probably reading this article because you're interested in keeping Windows 10 secure, you should know that the above patches are also available for supported Windows versions such as Windows 11 and Windows Server 2022, and we keep updating them as needed. Currently, about 40% of our customers are using 0patch on supported Windows versions as an additional layer of defense or for preventing known NTLM attacks that Microsoft doesn't have patches for.

How about the cost? Our Windows 10 patches will be included in two paid plans:

  1. 0patch PRO: suitable for small businesses and individuals, management on the computer only, single administrator account - currently priced at 24.95 EUR + tax per computer for a yearly subscription.
  2. 0patch Enterprise: suitable for medium and large organizations, includes central management, multiple users and roles, computer groups and group-based patching policies, single sign-on etc. - currently priced at 34.95 EUR + tax per computer for a yearly subscription.

The prices may get adjusted in the future but if/when that happens anyone having an active subscription on current prices will be able to keep these prices on existing subscriptions for two more years. (Another reason to subscribe sooner rather than later.)


How to Prepare for October 2025

 

Organizations

Organizations need time to asses, test, purchase and deploy a new technology so it's best to get started as soon as possible. We recommend the following approach:

  1. Read our Help Center articles to familiarize yourself with 0patch.
  2. Create a free 0patch account at https://central.0patch.com.
  3. Ask for a free Enterprise trial by emailing sales@0patch.com. (Trials will soon be available directly from 0patch Central.)
  4. Install 0patch Agent on some testing computers, ideally with other typical software you're using, especially security software.
  5. Familiarize yourself with 0patch Central.
  6. See how 0patch works with your apps, report any issues to support@0patch.com.
  7. Deploy 0patch Agent on all Windows 10 machines.
  8. Purchase licenses.
  9. In October 2025, apply the last Windows Updates.
  10. Let 0patch take over Windows 10 patching.

 

Home Users and Small Businesses

Home users and small businesses who want to keep using Windows 10 but don't need enterprise features like central management, patching policies and users with different roles, should do the following:

  1. Read our Help Center articles to familiarize yourself with 0patch.
  2. Create a free 0patch account at https://central.0patch.com.
  3. Ask for a free PRO trial by emailing sales@0patch.com. (Trials will soon be available directly from 0patch Central.)
  4. Install 0patch Agent on your computer(s).
  5. See how 0patch works with your apps, report any issues to support@0patch.com.
  6. Purchase licenses.
  7. In October 2025, apply the last Windows Updates.
  8. Let 0patch take over Windows 10 patching.

 

Distributors, Resellers, Managed Service Providers

We have a large and growing network of partners providing 0patch to their customers. To join, send an email to sales@0patch.com and tell us whether you're a distributor, reseller or MSP, and we'll have you set up in no time.

We recommend you find out which of your customers may be affected by Windows 10 end-of-support, and let them know about 0patch so they have time to assess it.


Suppliers of Refurbished Windows 10 Computers

A lot of used PCs get refurbished and find a new owner for a more affordable price compared to a new PC. Both suppliers and buyers of such refurbished PCs can count on 0patch to provide critical security patches for Windows 10 v22H2 for at least 5 years after October 2025.

Suppliers of refurbished Windows 10 PCs should make sure to install Windows 10 v22H2 and set up automatic Windows Updates such that updates will be installed as long as they are available. They should also let the buyers know about 0patch and provide them with the following instructions:

  1. Create a free 0patch account at https://central.0patch.com.
  2. Install 0patch Agent on your computer(s) and keep using 0patch FREE.
  3. See how 0patch works with your apps, report any issues to support@0patch.com.
  4. In October 2025, apply the last Windows Updates.
  5. Purchase a 0patch license.
  6. Let 0patch take over Windows 10 patching.


Frequently Asked Questions

Q: How long do you plan to provide security patches for Windows 10 after October 2025?

A: We initially plan to provide security patches for 5 years, but will extend that period if there is sufficient demand. (We're now in year 5 of Windows 7 support and will extend it further.)


Q: How much will it cost to use 0patch on Windows 10?

A: Our current yearly price for 0patch PRO is 24.95 EUR + tax per computer, and for 0patch Enterprise 34.95 EUR + tax per computer. Active subscriptions will keep these prices for two more years in case of pricing changes.


Q: What is the difference between 0patch PRO and 0patch Enterprise?

A:  While both plans include all security patches, 0patch Enterprise also includes central management via 0patch Central, multiple users and roles, computer groups and group-based patching policies, single sign-on and various other enterprise functions.


Q: What is 0patch FREE?

A: 0patch FREE is a free 0patch plan that only includes "0day patches", i.e., patches for vulnerabilities that don't have an official vendor fix available (yet). 0patch FREE does not include security patches needed for keeping Windows 10 secure after October 2025. Please see this article for more information on restrictions regarding 0patch FREE.


Q: Does 0patch also provide general technical support for Windows 10?

A: No. We only provide security patches and support related to using this service.


Q: Where can I learn more about 0patch?

A: Our Help Center has many answers for you.

Monday, June 24, 2024

Micropatches For Microsoft Outlook Remote Code Execution Vulnerability (CVE-2024-21378)

 

In February 2024, Microsoft released a patch for CVE-2024-21378, a vulnerability in Microsoft Outlook that allowed an attacker to execute arbitrary code on user's computer when the user opened a malicious email. The vulnerability was reported by Nick Landers with NetSPI.

A month later, NetSPI published an analysis that detailed this vulnerability and provided a proof-of-concept to demonstrate how an attacker could exploit an Exchange server to achieve arbitrary code execution.

 

The Vulnerability

The vulnerability affects Outlook custom forms. These forms provide advanced users with a way to modify existing form templates (email, appointment, note, etc.) or create new ones from scratch.

Long story short, a malicious Outlook form could be installed on an Exchange server and automatically downloaded to user's Outlook by a carefully crafted email message. Upon downloading, the malicious form would register a DLL downloaded with the form as an in-process server to achieve its automatic execution. While Outlook developers were apparently aware of this trick and implemented a security check to prevent Outlook forms from creating a new relative InprocServer32 registry path, NetSPI researchers were able to bypass it by providing an absolute path instead.

NetSPI also added support for this vulnerability to SensePost's tool Ruler. If the attacker was able to capture user's Device Code authentication token, they could remotely authenticate to an Exchange server and upload their custom form with executable/DLL. Outlook automatically syncs with the Exchange server, and all the attacker would need to do to trigger the exploit was to send the user an mail with the malicious form. When the user opened such email, the vulnerability would get triggered and attacker's code started executing in user's Outlook.exe process.

 

Microsoft's Patch

Microsoft patched this issue by removing the branch of code that parses and processes absolute registry paths, so it's no longer possible to bypass the deny-list that blocks InprocServer32 and other similar keywords.

 

Our Patch

While Microsoft provided an official patch for supported Office versions, many users are still running Office 2010 and 2013, which we had security-adopted. We confirmed that this issue also affect both these Office versions, and therefore created a patch for them.

Our patch is in logically identical to Microsoft's, bypassing the vulnerable code using a single JMP instruction.

The following video demonstrates our patch with Outlook 2013. Initially, 0patch is disabled and attacker's malicious email is already waiting in user's inbox to be opened. As soon as the user clicks on the email, attacker's code gets executed. In contrast, with 0patch enabled, opening the malicious email results in an error message, and attacker's code does not get executed.

 


 

Micropatch Availability

Micropatches were written for the following versions of Microsoft Office with all available updates installed:

  1. Office 2010 (PRO or Enterprise license required)
  2. Office 2013 (PRO or Enterprise license required)
 
 
Micropatches have already been distributed to, and applied on all computers with registered and licensed 0patch Agents, unless Enterprise group settings prevent that. 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Nick Landers and Rich Wolferd with NetSPI for sharing details and proof-of-concept, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

 

Thursday, May 30, 2024

Micropatch Released for Windows Authentication Elevation of Privilege Vulnerability (CVE-2023-36047)



We have just released a micropatch for CVE-2023-36047, a local privilege escalation vulnerability found by Filip Dragović in the way Windows handle files when a user changes their account picture. Filip discovered that on Windows 11, when you change your account picture, this picture is copied to a destination folder by a privileged process (the "User Manager" service). Since this folder is under user's control, they can set up symbolic links to "redirect" the copying to an arbitrary location. This allowed a local unprivileged attacker to copy a malicious DLL to a folder like C:\Windows\System32, where they would normally not be able to create files.

Adding a malicious DLL file to a system folder can lead to execution of attacker's code with the identity of Local System.

Filip published a POC for this issue, which allowed us to create a micropatch.  

 

Our Micropatch

We patched this issue in the same way Microsoft did, by impersonating the calling user instead of allowing to execute the copy operation as Local System. Note that Microsoft's fix is somewhat broken  as changing one's profile picture now results in an error being displayed to the user. Our patch reproduces this behavior as well.

Let's see our patch in action.

With 0patch disabled, running Filip's POC and changing account picture to a new image (which is actually a DLL file) results in such DLL being created in C:\Windows.

With 0patch enabled, however, doing the same results in an "Account picture error" (which also happens on patched Windows 11) and no DLL created in C:\Windows.



Micropatch Availability

Micropatch was only written for Windows 11 v21H2 with all available Windows Updates installed. Even though Microsoft's advisory lists many Windows versions as affected, including some that we have security-adopted, we were unable to reproduce this on these versions. Namely, the entire process of changing the account picture works differently there, and even on Windows 11 v21H2 it works differently than on newer Windows 11 versions. The latter is also the reason why CVE-2024-21447, another vulnerability discovered by Filip in the same code, does not affect Windows 11 v21H2.

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Filip Dragović for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

 

Thursday, April 25, 2024

Micropatches Released for Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2023-35628)

 

December 2023 Windows Updates brought a patch for CVE-2023-35628, a memory corruption vulnerability that could potentially lead to remote code execution when an application on user's computer tried to access a URL provided by an attacker.

Security researcher  Ben Barnea of Akamai, who found this vulnerability and reported it to Microsoft, wrote a detailed article and published a simple and effective POC. These allowed us to reproduce the issue and create a micropatch for affected legacy Windows systems, which are no longer receiving security updates from Microsoft. 


The Vulnerability

The vulnerability resides inside the CrackUrlFile function in iertutil.dll. In July 2023, Microsoft added some code to this function that introduced the vulnerability, whereby a heap free operation is made on an invalid pointer when the provided URL is properly formatted as described in Ben's article.

CrackUrlFile is a fairly generic function and can be used by various processes and applications. Ben demonstrated the vulnerability with a simple .lnk file, which immediately crashes Windows Explorer when the directory with such file is displayed to the user. His article also mentions a possibility of triggering the vulnerability through an email message shown in Outlook, and Microsoft's advisory adds an Instant Messenger message as a possible attack vector.


Our Micropatch

We patched this issue in the same way Microsoft did, by replacing the flawed code that changed the pointer to the URL with corrected code that doesn't.

Let's see our patch in action. The video below first shows an empty Windows Event Log and a malicious .lnk file in the Downloads folder pointing to file://./UNC/C:/Akamai.com/file.wav. (Note that displaying this .lnk file does not crash Windows Explorer because 0patch is enabled and the vulnerability already patched by it.)

Then, 0patch is disabled, which un-applies all 0patch micropatches from running processes, including the micropatch for CVE-2023-35628 from explorer.exe process. Opening the Downloads folder leads to immediate crashing of explorer.exe without any other user interaction as the process tries to determine an icon for the .lnk file, leading to the "malicious" URL being processed by vulnerable CrackUrlFile function.

Finally, 0patch is re-enabled, and the malicious .lnk file is unable to crash Windows Explorer because the vulnerability was removed from the process.



Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows Server 2012 R2 - fully updated with no ESU
 
Our patches only cover Windows 11 21H2 and Windows Server 2012 R2, as other systems either received official patches in December 2023 or don't even have the vulnerability that was only introduced in July of 2023. Even though Microsoft also listed Windows Server 2012 as affected, we couldn't reproduce the issue on this system, and could find no traces of vulnerable code there either.
 
Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank  Ben Barnea of Akamai for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

 

Wednesday, April 24, 2024

Micropatches Released for Windows Workstation and Server Service Elevation of Privilege Vulnerability (CVE-2022-38034, CVE-2022-38045, No CVE)

 

 

October 2022 Windows Update brought fixes for two interesting vulnerabilities, CVE-2022-38034 and CVE-2022-38045. They allowed a remote attacker to access various "local-only" RPC functions in Windows Workstation and Windows Server services respectively, bypassing these services' RPC security callbacks. These vulnerabilities were found by Ben Barnea and Stiv Kupchik of Akamai who published a detailed article and provided a proof-of-concept tool.

We missed this publication back in 2022 (probably being busy patching some other vulnerabilities), but once we found it we confirmed that some of the legacy Windows versions that we had security-adopted were affected and decided to provide patches for them.

 

The Vulnerability

The vulnerability stems from the fact that older Windows systems, but also current Windows systems with less than 3.5GB of RAM, pack two or more services into the same svchost.exe process. Apparently this can be a problem; in our case, it enables both Workstation and Server Service - which normally don't accept authentication requests - to accept authentication requests when bundled up with another service that does. When that happens, the previously (remotely) inaccessible functions from these services become remotely accessible because successful authentication gets cached and is subsequently looked up without additional security checks.

Microsoft's Patch

Microsoft's patch effectively disabled said caching for both services. Patched versions of wkssvc.dll and srvsvc.dll contain updated flags that are passed to the RpcServerRegisterIfEx function when these service are initialized. The flags that were previously 0x11 (RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH | RPC_IF_AUTOLISTEN) have been replaced with 0x91 (RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH | RPC_IF_AUTOLISTEN | RPC_IF_SEC_CACHE_PER_PROC).


Our Micropatch

We could patch these vulnerabilities in wkssvc.dll and srvsvc.dll in exactly the same way Microsoft did, but that would require users to restart Workstation and Server services for the modified flags to kick in. (Remember that Windows updates make you restart the computer anyway, but we have higher standards than that and want our patches to come in effect without a restart.)

Therefore, we decided to place our patches in rpcrt4.dll, which gets loaded in all RPC server processes and manages the cache and security callbacks for every Windows RPC interface. Our patch sits in the RPC_INTERFACE::DoSyncSecurityCallback function that processes the cached values and decides whether to call the security callback or use the cached result. It first checks if it's running in the Workstation or Server Service process, and if so, simply forces the security callback.

Here's the source code of our micropatch.



;XX-1699
MODULE_PATH "..\AffectedModules\rpcrt4.dll_10.0.19041.1288_Win10-2004_64-bit_u2021-12\rpcrt4.dll"
PATCH_ID 1736
PATCH_FORMAT_VER 2
VULN_ID 7814
PLATFORM win64
       
patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x96ae2
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT rpcrt4.dll!0x4e0b4,kernel32.dll!GetModuleHandleW
           
    code_start
        
        call MODNAME1
        db __utf16__('wkssvc.dll'),0,0  ;load "wkssvc.dll" string
    MODNAME1:
        pop rcx                         ;pop the string into the first arg
        sub rsp, 0x20                   ;create the shadowspace
        call PIT_GetModuleHandleW       ;call GetModuleHandleW to check if wkssvc.dll is
                                        ;loaded in the current process
        add rsp, 0x20                   ;delete the shadowspace
        cmp rax, 0x0                    ;check if the call succeeded   
        jne PIT_0x4e0b4                 ;if success, we are in the Workstation Service process,
                                        ;so we block security callback caching by simulating
                                        ;the caching flag being disabled    
        call MODNAME2
        db __utf16__('srvsvc.dll'),0,0  ;load "srvsvc.dll" string
    MODNAME2:
        pop rcx                         ;pop the string into the first arg
        sub rsp, 0x20                   ;create the shadowspace
        call PIT_GetModuleHandleW       ;call GetModuleHandleW to check if 
srvsvc.dll is
                                        ;loaded in the current process
        add rsp, 0x20                   ;delete the shadowspace
        cmp rax, 0x0                    ;check if the call succeeded   
        jne PIT_0x4e0b4                 ;if success, we are in the Server Service process,
                                        ;so we block security callback caching by simulating
                                        ;the caching flag being disabled
    
    code_end
patchlet_end


 

While working on this patch we noticed that the Workstation Service security callback behaved differently on different Windows versions. On Windows 10 and later, the security callback blocks functions with numbers ("opnums") between 8 and 11 from being executed remotely, which is exactly what CVE-2022-38034 bypasses. However, on older Windows versions like Windows 7 up to ESU 2 (2nd year of Extended Security Updates), these functions are not blocked from remote access at all. For our CVE-2022-38034 patch to even make sense on these older versions of Windows, we therefore first needed to add the missing security callback checks to wkssvc.dll.

We were curious about the origin of these security checks and did some digging across different wkssvc.dll versions. We found they were added to the Workstation Service some time before April 2021 on Windows 10, and sometime after January 2022 on Windows 7, but we were unable to find any CVE references associated with them. Our best guess is that they were added silently, first on Windows 10 and almost a year later also on Windows 7.

Our patch for this CVE-less vulnerability behaves the same as Microsoft's. First, we get the caller's binding data,  then we check the opnum of the called function and determine whether the user is local or not. If the called opnum is between 8 and 11 and the caller is not local, we fail the call with "access denied" error. 


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 10 v2004 - fully updated
  2. Windows 10 v1909 - fully updated
  3. Windows 10 v1809 - fully updated
  4. Windows 10 v1803 - fully updated
  5. Windows 7 - fully updated with no ESU, ESU 1 or ESU 2
  6. Windows Server 2008 R2 - fully updated with no ESU, ESU 1 or ESU 2
     
      
    Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

    Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

    If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

    We would like to thank Ben Barnea and Stiv Kupchik of Akamai for sharing their analysis and proof-of-concept, which made it possible for us to create micropatches for these issues.

    To learn more about 0patch, please visit our Help Center.

     

    Thursday, April 4, 2024

    Micropatches for Windows Local Session Manager Elevation of Privilege (CVE-2023-21771)

     


    In December of 2022, Ben Barnea of Akamai posted an X thread about a bug they had found in Windows Local Service Manager (LSM) that can lead to local privilege escalation from regular user account to Local System. Ben discovered that code in LSM was missing a return value check after a call is made to RpcImpersonateClient to impersonate the caller: a failed impersonation attempt would therefore keep the code running as Local System.

    After trying out several ideas to make the RpcImpersonateClient function fail, Ben succeeded with an interesting race condition trick, changing the caller's token after the call has been accepted by LSM, but before the impersonation is attempted.

    Microsoft assigned this issue CVE-2023-21771, and issued a fix for it with January 2023 Windows Updates. 

    Ben's X thread and proof of concept allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft. 


    Microsoft's Patch

    Microsoft patched this issue by adding a check for the return value of RpcImpersonateClient call, and skipping the processing if the call fails.


    Our Micropatch

    Our patch is logically identical to Microsoft's:



    ;XX-1665
    MODULE_PATH "..\AffectedModules\lsm.dll_10.0.19041.1266_Win10-2004_64-bit_u2021-12\lsm.dll"
    PATCH_ID 1725
    PATCH_FORMAT_VER 2
    VULN_ID 7813
    PLATFORM win64
           
    patchlet_start
        PATCHLET_ID 1
        PATCHLET_TYPE 2
        PATCHLET_OFFSET 0x58a63
        N_ORIGINALBYTES 5
        JUMPOVERBYTES 0
        PIT lsm.dll!0x58a7a
        
        code_start
            
            cmp rax, 0x0        ;check if RpcImpersonateClient returned 0 for success
            jne PIT_0x58a7a     ;if not, jump to the error block
           
        code_end
    patchlet_end

     

    Micropatch Availability

    Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

    1. Windows 10 v21H1 - fully updated
    2. Windows 10 v2004 - fully updated
     
    Older Windows 10 versions, Windows 7 and Server 2008 R2 were not affected by this issue. Newer Windows 10 versions received an official patch from Microsoft.
      
    Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

    Vulnerabilities like this get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

    If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

    We would like to thank  Ben Barnea of Akamai for sharing their analysis, which made it possible for us to create a micropatch for this issue.

    To learn more about 0patch, please visit our Help Center.