by Mitja Kolsek, the 0patch Team
August 2022 Windows Updates brought a fix for a local privilege escalation in Windows Kerberos, discovered by Nick Landers (@monoxgas) of NetSPI. Nick and James Forshaw (@tiraniddo) presented this vulnerability at the BlackHat USA 2022 conference and subsequently published proof-of-concept scripts. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft.
The vulnerability allows an attacker to bypass an integrity check for a security buffer of a PAC structure sent inside attacker's AP-REQ request. The flawed integrity check improperly inspects the security buffer type by comparing it to constant SECBUFFER_TOKEN while ignoring that its value can also include two bit flags in the upper byte. Nick's and James' proof-of-concept adds one such flag to the value, bypassing the integrity check, and can therefore arbitrarily modify the PAC structure - for instance, to claim the requestor is not the actual low-privileged user but a local administrator. According to Microsoft's advisory, "a domain user could use this vulnerability to elevate privileges to a domain admin."
Microsoft assigned this issue CVE-2022-35756
and fixed it by removing the execution branch that led to the bypass. Our micropatch is logically
equivalent to Microsoft's:
MODULE_PATH "..\AffectedModules\kerberos.dll_6.1.7601.24545_Win7_32-bit_NoESU\kerberos.dll"
PATCH_ID 1053
PATCH_FORMAT_VER 2
VULN_ID 7492
PLATFORM win32
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0xe856
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
code_start
push eax ;save the original rax value
mov eax, [ebp-0x14] ;get the flag location pointer +0x8 for the previous push
bt dword[eax+0x28], 0x19 ;test the 0x19-th bit
pop eax ;restore original rax value
jb SKIP ;if bit is set, keep the old rcx value
mov eax, 1 ;if bit is not set, mov 1 into rcx
SKIP:
; the value of rax here will be stored to rcx and serve as an argument
; in a call to KerbCreateTokenFromTicketEx
code_end
patchlet_end
The micropatch was written for the following Versions of Windows with all available Windows Updates installed:
- Windows 10 v2004
- Windows 10 v1909
- Windows 10 v1903
- Windows 10 v1809
- Windows 10 v1803
- Windows 7 without ESU, with year 1 of ESU and with year 2 of ESU
- Windows Server 2008 R2 without ESU, with year 1 of ESU and with year 2 of ESU
To learn more about 0patch, please visit our Help Center. For a trial or demo please contact sales@0patch.com.
We'd like to thank Nick Landers (@monoxgas) and James Forshaw (@tiraniddo) for publishing their analysis with a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.
No comments:
Post a Comment