Wednesday, May 27, 2020

Micropatch Available for User-Mode Power Service Memory Corruption (CVE-2020-1015)




by Mitja Kolsek, the 0patch Team


Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1015, a memory corruption vulnerability in User-Mode Power Service that could allow a local attacker to execute arbitrary code as Local System.

This vulnerability was patched by Microsoft with April 2020 Updates, but Windows 7 and Server 2008 R2 users without Extended Security Updates remained vulnerable.

Security researcher 0xeb_bp analyzed the official patch, wrote an in-depth analysis, determined the root cause of the vulnerability, and published a tool that crashes the Power Service.
The vulnerability provides a "race condition" in requests for a legacy RPC function because the code processing these requests was not properly enclosed in critical sections. Multiple concurrent requests can corrupt memory and result in arbitrary code execution in the service.
Microsoft's patch effectively enclosed most of the legacy RPC function (UmpoRpcLegacyEventRegisterNotication) into a critical section. Our micropatch does logically the same with two patchlets, 5 instructions in each.


MODULE_PATH "..\Affected_Modules\umpo.dll_6.1.7601.24525_64bit\umpo.dll"
PATCH_ID 438
PATCH_FORMAT_VER 2
VULN_ID 6152
PLATFORM win64

patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x1a7c
N_ORIGINALBYTES 5
PIT kernel32.dll!EnterCriticalSection,kernel32.dll!GetModuleHandleA
; The critical section object is stored at umpo.dll+0x25aa0

code_start

    call STRING1
    db 'umpo.dll',0
STRING1:
    pop rcx ; rcx points to 'umpo.dll' string
    call PIT_GetModuleHandleA
    lea rcx, [rax + 0x25aa0]
    call PIT_EnterCriticalSection
  
code_end
patchlet_end

patchlet_start
PATCHLET_ID 2
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x1b33
N_ORIGINALBYTES 5
PIT kernel32.dll!LeaveCriticalSection,kernel32.dll!GetModuleHandleA
; The critical section object is stored at umpo.dll+0x25aa0

code_start

    call STRING2
    db 'umpo.dll',0
STRING2:
    pop rcx ; rcx points to 'umpo.dll' string
    call PIT_GetModuleHandleA
    lea rcx, [rax + 0x25aa0]
    call PIT_LeaveCriticalSection
  
code_end
patchlet_end


We'd like to thank @0xeb_bp for an excellent analysis and POC for this issue, which allowed us to create a micropatch for Windows users without security updates.
This micropatch is immediately available to all 0patch users with a PRO license. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account at 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch. 
To learn more about 0patch, please visit our Help Center.
  
 









Wednesday, May 20, 2020

Micropatching PrintDemon Vulnerability (CVE-2020-1048)


by Mitja Kolsek, the 0patch Team


Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1048, a privilege elevation vulnerability allowing a local non-admin attacker to create an arbitrary file in an arbitrary location.

This vulnerability was patched by Microsoft with May 2020 Updates, but Windows 7 and Server 2008 R2 users without Extended Security Updates remained vulnerable.

Last week, security researchers Yarden Shafir and Alex Ionescu published a detailed analysis of the vulnerability they dubbed "PrintDemon", including a proof-of-concept for Windows 8 and later Windows versions.

PrintDemon allows a low-privileged user to create a printer port pointing to a file, and then print to that port. If the user has insufficient permissions for writing to said file, Print Spooler service will do that as Local System upon computer restart.

Microsoft's patch added a couple of checks in the code for creating a printer port:
  1. custom port (one without '/' or '\') is allowed,
  2. named pipe port and file port is allowed if user has read/write permissions on it. 

Our micropatch does logically the same:



Here's a video of our micropatch in action:






Thanks to Yarden Shafir and Alex Ionescu for an excellent writeup and POC for this issue, which allowed us to create a micropatch for Windows users without security updates.