by Mitja Kolsek, the 0patch Team
Windows 7 and Server 2008 R2 users without Extended Security Updates
have just received a micropatch for CVE-2020-1113, a Windows Task Scheduler Security Feature Bypass.
This vulnerability was patched by Microsoft with May 2020 Updates, but
Windows 7 and Server 2008 users without Extended Security Updates
remained vulnerable.
Security researcher Sylvain Heiniger (@sploutchy) of @compasssecurity analyzed this vulnerability and subsequently published a POC, from which we could reproduce the issue and create a micropatch.
The vulnerability lies in Task Scheduler accepting RPC requests that can
be relayed. An attacker can piggyback on such requests by having some
logged-on user send an SMB request to their computer, and then act as
man-in-the-middle.
Microsoft's patch makes sure the authentication level of the RPC request
received by Task Scheduler is RPC_C_AUTHN_LEVEL_PKT_PRIVACY, which
prevents such piggybacking. Our micropatch does effectively the same,
with just six CPU instructions on 32-bit Windows, and two CPU instructions on 64-bit Windows:
MODULE_PATH "..\Affected_Modules\schedsvc.dll_6.1.7601.24470_64bit\schedsvc.dll"
PATCH_ID 459
PATCH_FORMAT_VER 2
VULN_ID 6220
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x37a1
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT schedsvc.dll!0x3b449
code_start
;This patch is inserted right after the RpcServerInqCallAttributesW call.
;The call fills the RPC_CALL_ATTRIBUTES_V2_W structure with data, and at
; address rsp+78h we can find
;the RPC_CALL_ATTRIBUTES_V2_W.AuthenticationLevel value, which describes
;the level of RPC authentication
;used. The range of this variable is form 0x0 to 0x6, where 0x6 is
;authentication with integrity (signature)
cmp dword[rsp+78h], 6 ;Check if the RPC_CALL_ATTRIBUTES_V2_W.AuthenticationLevel
; value is equal to 6
jb PIT_0x3b449 ;If the value is less than 6, jump to the
;"access denied error" block
code_end
patchlet_end
And a video of the micropatch in action:
We'd like to thank Sylvain Heiniger (@sploutchy)
for sharing their analysis and POC, which allowed us to create this
micropatch for Windows users without official security updates. We also
encourage security researchers to privately share their analyses with us
for micropatching.
This
micropatch is immediately available to all 0patch users with a PRO
license, and is targeted at Windows 7 and Windows Server 2008 R2 users
without Extended Security Updates. To obtain the micropatch and have it
applied on your
computer(s) along with other micropatches included with a PRO license,
create an account in 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
To learn more about 0patch, please visit our Help Center.
No comments:
Post a Comment