0patch Blog: 2023

Wednesday, September 13, 2023

Micropatches Released For Windows Error Reporting Service Elevation of Privilege (CVE-2023-36874)

With July 2023 Windows Updates, Microsoft brought a fix for CVE-2023-36874, a local privilege escalation vulnerability in Windows Error Reporting Service that was found both by Google TAG and CrowdStrike to be exploited in the wild in the previous month.

When security researcher Filip Dragovic released a proof of concept for this issue, we could reproduce it and start working on a patch.

The Vulnerability

In short, the Windows Error Reporting Service has a number of functions exposed via its RPC interface, so a local process can ask it to submit a chosen error report via function SubmitReport. This function impersonates the calling process' user and at some point launches wermgr.exe, one of the WER executables. Normally, wermgr.exe would be launched from C:\Windows\System32\, but since the service is impersonating the caller (i.e., the attacker), the CreateProcess function honors any symbolic links the caller may have in place. The attacker can, for instance, create a symbolic link mapping C:\ to an arbitrary location such as C:\Users\public\test , which will be used by the CreateProcess call. Consequently, the WER service would launch C:\Users\public\test\Windows\System32\wermgr.exe, attacker's executable with the same name - and according to the documented behavior of CreateProcess, the executable would be launched with the token of the service (not the impersonation token). In other words: as Local System.

The Official Patch

Microsoft's fix for this issue was very simple: they effectively disabled the SubmitReport function by immediately returning error "Not implemented" (0x80004001). This means that it is no longer possible to submit an error report via RPC - and perhaps this was never really needed anyway.

Our Micropatch

Our micropatch is logically identical to Microsoft's, and produces the same behavior.

MODULE_PATH "..\AffectedModules\wercplsupport.dll_10.0.17134.1967_Win10-1803_32-bit_u2021-05\wercplsupport.dll"
PATCH_ID 1488
PATCH_FORMAT_VER 2
VULN_ID 7774
PLATFORM win32

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x82ac
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT wercplsupport.dll!0x82eb
    code_start

        mov eax, 80004001h   ; Error code for "Not Implemented"
        jmp PIT_0x82eb       ; Jump directly to end of function

    code_end
patchlet_end

Let's see our micropatch in action. With 0patch disabled, the POC manages to create a new user "test" on the computer by launching a fake C:\Users\public\test\Windows\System32\wermgr.exe. With 0patch enabled, the POC fails to do that because wermgr.exe is not being launched from function SubmitReport at all.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803

We were unable to reproduce this issue on Windows 7 and Server 2008 R2, and believe it is not exploitable there.

Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Filip Dragovic for sharing their proof of concept, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

Wednesday, September 6, 2023

Micropatches Released For Windows Search Remote Code Execution (CVE-2023-36884)

Alongside July 2023 Windows Updates, Microsoft revealed the existence of a 0day that was detected in the wild and assigned it CVE-2023-36884. Without issuing a patch, they titled their original advisory "Office and Windows HTML RCE vulnerability" as exploitation was performed using malicious Word documents, and provided workarounds that could block exploitation.

Very little information was publicly available and exploit samples that were referenced by those who claimed to be in the know seemed convoluted, comprising numerous exploits of old known vulnerabilities. The main source of useful information was security researcher Will Dormann who invested a great deal of effort in publicly dissecting many of these samples and reviewing numerous sources to meticulously separate the wheat from the chaff (see his super long Twitter thread).

In absence of sufficient information on the vulnerability itself, we initially decided to issue a patch that implemented one of the most effective workarounds recommended by Microsoft - the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION mitigation for all Office executables. This patch - free for everyone as the issue was still an unpatched 0day - enabled said workaround on all 0patch customers' computers so they didn't have to do that manually (or even know about this 0day).

The Official Patch

In August, Microsoft finally provided a patch for CVE-2023-36884, and updated their advisory to reveal that the issue lied in Microsoft Search and that "An attacker can plant a malicious file evading Mark of the Web (MOTW) defenses which can result in code execution on the victim system."

This, combined with Will's analysis of the changed behavior in Windows ZIP file extraction (mostly the latter, really), led us to conclusion that Microsoft's patch for CVE-2023-36884 was focused on randomizing the temporary path where files from a ZIP archive are extracted. Before the August update, a file.txt file opened directly from an archive.zip ZIP file would be extracted to a location like:

C:\Users\username\AppData\Local\Temp\Temp1_archive.zip\file.txt

For a local exploit script running on user's computer this is a predictable location, and if extraction process was terminated by exploit code at the right time, Windows would not put the Mark of the Web (MotW) on the file even if the ZIP file came from the Internet and should not be trusted. The absence of this mark on the extracted file would later result in no security warning when the file was opened. (In the actual exploit, the extracted file would be an executable launched without any warning.)

After the August Windows Update, file extraction was different. The same file would be extracted to this location:

C:\Users\username\AppData\Local\Temp\Temp1710d72f-7438-40d0-be9b-52f7e0651fe9_archive.zip\file.txt

Whereby the added GUID part is random and different each time. This blocks exploitation because the exploit code cannot guess the correct path of the extracted file and can therefore not launch it.

We located Microsoft's patch that introduced this change in zipfldr.dll, inside the CTempFileNameArray::_TryCreatingInPath function.

Our Micropatch

Our micropatch is logically identical to Microsoft's, and produces the same behavior with extracted files.

PATCH_ID 1487
PATCH_FORMAT_VER 2
VULN_ID 7772
PLATFORM win64

patchlet_start
   PATCHLET_ID 1
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x18514
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 5
   PIT zipfldr.dll!0x180a0,zipfldr.dll!0x186ad,rpcrt4.dll!UuidCreate,rpcrt4.dll!RpcStringFreeW,rpcrt4.dll!UuidToStringW
   ;zipfldr.dll!0x180a0 __int16 *ConstructString(HINSTANCE, unsigned int, ...)
   ;zipfldr.dll!0x186ad ErrorBlock

   code_start

        sub rsp, 0x50             ;Create shadowspace and 2 variables

        mov [rsp+0x48], rcx     ;Save rcx
        mov [rsp+0x40], rdx       ;Save rdx
        mov [rsp+0x38], r9        ;Save r9


        lea rcx, [rsp+0x28]       ;Move var1 to rcx to receive UUID
        call PIT_UuidCreate       ;Call UuidCreate
        cmp eax, 0                ;Check if call succeeded
        jne ERROR                 ;Jump to error block if result != 0

        lea rdx, [rsp+0x20]       ;Move var2 to rdx to receive pointer to UUID_STRING
        lea rcx, [rsp+0x28]       ;Move var1 with UUID to rdx
        call PIT_UuidToStringW    ;Call UuidToStringW to convert UUID on var1 to UUID_STRING and move it to var2
        cmp eax, 0                ;Check if the call succeeded
        jne ERROR                 ;Jump to error block if result != 0

        mov rcx, [rsp+0x48]       ;Restore rcx
        mov rdx, [rsp+0x40]       ;Restore rdx
        mov r9, [rsp+0x38]        ;Restore r9
        mov r8, [rsp+0x20]        ;Replace r8 with UUID_STRING from var2
        call PIT_0x180a0        ;Call ConstructString that output a full path pointer to rax
        mov qword[rsp+0x38], rax ;save rax for later

        lea rcx, [rsp+0x20]       ;Get the pointer to UUID_STRING from var2 and move it to rcx
        call PIT_RpcStringFreeW   ;Free the UUID_STRING buffer

        mov rax, [rsp+0x38]       ;Restore rax we saved earlier

        jmp END                   ;Continue normal execution

   ERROR:                        ;Error block
        add rsp, 0x50             ;Restore the stack pointer
        jmp PIT_0x186ad           ;Jump to the error block

   END:                        ;Normal execution
        add rsp, 0x50             ;Restore stack pointer

   code_end

patchlet_end

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803
Windows 7 (without ESU, with ESU year 1, 2 and 3)
Windows Server 2008 R2 (without ESU, with ESU year 1, 2 and 3)

Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

We would like to thank Will Dormann for his extensive analysis of exploit samples, related publications, and Microsoft's patch, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

Tuesday, August 8, 2023

Three More Years of Critical Security Patches for Windows Server 2012 and Windows Server 2012 R2

Can't upgrade your Windows Server 2012 to a newer windows server? No problem.

As an on-premises Windows Server 2012 user, you probably know that Microsoft plans to end its support this October. This means no more Windows updates, including security fixes, and the chilling prospect of your servers becoming progressively vulnerable as new security issues are inevitably going to be discovered.

If you're lucky enough to be an "eligible customer with Software Assurance under an Enterprise Agreement", you will be able to purchase up to 3 years of Extended Security Updates (ESU) from Microsoft for an annual cost equal to "100% of full license price annually".

Those of you who aren't eligible or have other reasons not to purchase ESU, but want to keep using your servers securely - we have good news for you!

Remember Windows Server 2008 R2 going out of support more than three years ago? Well, we security-adopted it and have thousands of customers still running this server securely with our security patches today. Meanwhile, the three-year ESU period for Server 2008 has already ended for on-premises servers, and we committed to continuing our support for at least two more years.

Now we'll do the same for Windows Server 2012 and Windows Server 2012 R2, starting with three years of critical security patches that will last until October 2026. In contrast to Windows Server 2008 where we only security-adopted the R2 version, we're seeing a sufficient interest in non-R2 version of Server 2012 to add it to the list of our security-adopted products.

If you're new to 0patch and our security patches, we have a lot of information in our Help Center but here's a quick overview:

0patch provides critical security patches for vulnerabilities that are likely to be exploited.
Our tiny patches (usually just a few CPU instructions) get applied in memory of running processes; we don't change original executable files.
Patches get applied and un-applied instantly, without restarting the computer.
Apart from critical security patches for vulnerabilities Microsoft will patch on still-supported Windows versions, you will also get our "0day" patches for vulnerabilities that don't yet have official security patches.
0patch Central allows for central management of all 0patch Agents.
0patch costs a fraction of the cost of Extended Security Updates. (Consider Pro plan for a single server, and Enterprise plan for multiple servers with central management.)

To use 0patch on Windows Server 2012 after October 2023, you will need to:

Create a 0patch account if you don't have one yet.
Install the last available, i.e., October 2023, cumulative Windows Update for Windows Server 2012. (This is very important, our patches will be targeting these exact versions of Windows executables.)
Install 0patch Agent on the server and register it to your 0patch account. (See 0patch Agent user manual for instructions on silent deployment and auto-registration in selected group.)
Make sure to have a suitable number of licenses in your 0patch account: each computer with a registered 0patch Agent needs one license.

October is getting close - start testing 0patch in your environment now to iron out the wrinkles without too much rush. To start a free trial, create a free account in 0patch Central, then let us know at sales@0patch.com which email you used for that so we can issue a couple of trial licenses to your account.

Frequently Asked Questions

Q: How long do you plan to provide critical security patches for Windows Server 2012 after October 2023?

A: For at least three more years - until October 2026. Depending on the demand, we'll consider an extension.

Q: How many vulnerabilities have you patched for Windows Server 2008 R2 and Windows 7 since January 2020?

A: Since January 2020 when we "security-adopted" Windows 7 and Windows Server 2008 R2, we have issued patches for 67 critical security issues on these systems that were at high risk of being exploited. Many of them were later actually confirmed to be exploited in the wild and even more of them became part of various exploit kits that even a low-budget attacker could easily use against unpatched systems.

Q: Are your micropatches actual code patches or "virtual patches"?

A: Our patches are actual code patches; we add a couple of CPU instructions to the original (vulnerable) executable code to remove the vulnerability. Such patches cannot be bypassed, which literally any other exploit protection mechanisms - including virtual patches - can be.

Q: Will we be able to continue using Microsoft Edge securely on Windows Server 2012 after October 2023?

A: We have also security-adopted Microsoft Edge in January 2023, so you'll be able to keep using Edge securely even though it won't get updated by Microsoft anymore. We're also still providing security patches for Internet Explorer, which is still effectively part of the operating system.

Q: We'd like to see a demo.

A: Send an email to sales@0patch.com and provide your company name and time zone so we can suggest a couple of dates for the demo.

Q: We'd like to set up a trial.

A: Create a free account in 0patch Central, then let us know at sales@0patch.com which email you used for that so we can issue a couple of trial licenses to your account.

Q: We have more questions about 0patch.

A: Our Help Center has a lot of answers but if you can't find yours there, feel free to contact us at sales@0patch.com.

Friday, July 14, 2023

Micropatches Released For Denial of Service in Microsoft Message Queuing (CVE-2023-28302, CVE-2023-21769)

April 2023 Windows Updates brought fixes for a number of vulnerabilities in Microsoft Message Queuing Service. We first issued patches for the "Queuejumper" remote code execution vulnerability (CVE-2023-21554) as its POC became available. Subsequently, we got access to POCs for two additional issues in Microsoft Message Queuing Service: CVE-2023-21769 and CVE-2023-28302, both being remote denial-of-service issues.

While still-supported Windows systems have already received the official vendor fix for these vulnerabilities, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for these vulnerabilities, which are available through the 0patch service.

Our patches for these issues are similar to Microsoft's. Because the new patch for CVE-2023-28302 is in the same place as our previous patch for CVE-2023-21554, we had to revoke the latter and issue a combined patch for CVE-2023-21554 and CVE-2023-28302. (Which, of course, doesn't require our users to do anything as it all happens automatically.)

Micropatch Availability

These micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1
Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803
Windows 7 (without ESU, with ESU year 1, and with ESU year 2)
Windows Server 2008 R2 (without ESU, with ESU year 1, and with ESU year 2)

Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

Friday, June 30, 2023

Micropatches Released For DHCP Server Service Remote Code Execution (CVE-2023-28231)

April 2023 Windows Updates brought a fix for CVE-2023-28231, a remote code execution vulnerability in DHCP Server service. The vulnerability was reported to Microsoft by security researcher YanZiShuang.

Subsequently, Numen Cyber published a POC and DarkRelay Security Labs published their analysis, both of which allowed us to reproduce the issue and create a micropatch for Windows computers that haven't received an official fix from Microsoft.

The vulnerability only affects Windows servers with DHCP Server installed, and resides in the way DHCP Server processes relay-forwarded messages, whereby a message claiming to have been forwarded by more than 32 intermediate DHCP servers breaks the code's assumptions and causes memory corruption.

While still-supported Windows servers have already received an official vendor fix for this vulnerability, Windows Server 2008 R2 isn't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatch for this vulnerability, which is available through the 0patch service.

Our patch is logically identical to Microsoft's.

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows Server 2008 R2

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

We'd like to thank Numen Cyber for sharing their POC, and DarkRelay Security Labs for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

Micropatches Released For Windows Task Scheduler Elevation of Privilege (CVE-2023-21541)

January 2023 Windows Updates brought a fix for CVE-2023-21541, a local privilege elevation in Task Scheduler. The vulnerability was reported to Microsoft by Ben Lincoln of Bishop Fox.

In April, Ben published a detailed analysis of this issue, which allowed us to reproduce the issue and create a micropatch for Windows computers that haven't received an official fix from Microsoft.

The vulnerability is easy to understand: if a scheduled task contains an environment variable in its executable path, expansion of this variable may result in double quotes around the path being lost, which could then lead to the "unquoted path" vulnerability.

On the other hand, the issue is not so easy to exploit, assuming that the local attacker does not have administrative privileges (why would they need a local privilege elevation vulnerability if they did?). The first condition is that a scheduled task must already exist on the system whose path to the executable contains an environment variable, and the second condition is that the attacker is able to create a malicious executable called program.exe in the root of C: drive. The latter is, by default, only allowed for administrators and system, so the computer would have to be in some custom configuration.

Nevertheless, we decided to patch this, since at least a couple of our users may have both these conditions fulfilled. While still-supported Windows systems have already received the official vendor fix for this vulnerability, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patch is functionally similar to Microsoft's, but in our case applying the patch doesn't require a restart of the Task Scheduler service (while Microsoft's does).

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803

Windows 7 and Server 2008 R2 are not affected by this issue.

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

We'd like to thank Ben Lincoln of Bishop Fox for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

Wednesday, June 21, 2023

New 0patch Central, New Security Features

Dear 0patch friends,

We're happy to share with you that four new highly asked-for features have been added to 0patch Central:

Multi-factor Authentication

You can now protect your 0patch account with multi-factor authentication (MFA). Use any authenticator app to configure MFA in your user profile and store recovery codes in a safe place in case you lose access to the app. This feature is available in Free, Pro, and Enterprise accounts.

Authentication Options

Select which authentication methods can be used for logging in to 0patch Central; choose between "Email and Password" and "Single sign-on", and specify whether multi-factor authentication ("MFA") is required for all users in the account. Find this feature under Account -> Security in Enterprise accounts.

Password Policy

Set the password policy for users in your account; users will be forced to change their password upon next login if needed. Find this feature under Account -> Security in Enterprise accounts..

IP Address Restrictions

Specify a set of IP addresses or subnets from which your 0patch Central account can be accessed. This setting does not affect 0patch Agents - they can always sync from anywhere. Find this feature under Account -> Security in Enterprise accounts..

Upcoming Security-Adoption of Windows Server 2012

In the spirit of supporting legacy Windows versions and Microsoft products, we're happy to announce an upcoming adoption of Windows Server 2012, which goes out of official support in October 2023. If you're using Windows Server 2012 and would like to keep doing so securely, contact us at sales@0patch.com.

Are your friends or peers operating Windows systems? Do them a favor and tell them about 0patch.

Thank you!

Your 0patch Team

Tuesday, June 13, 2023

0patch Security-Adopts Windows 10 v20H2 to Keep it Running Securely

Last month brought the last security updates for Windows 10 version 20H2. What if your organization is still using it and doesn't want to - or can't - upgrade it yet?

Don't worry, we have previously security-adopted Windows 10 v1803 and v1809, Windows 10 v2004 and v1909, and Windows 10 v21H1.

Now we're security-adopting version 20H2.

If you're running Windows 10 v20H2 in your organization, all you need to do is install 0patch Agent on these computers and register it to an account with PRO or Enterprise subscription, and you'll start receiving critical security patches as soon as we issue them.

These micropatches will be included in 0patch PRO and Enterprise licenses along with all other micropatches we're issuing - which means that users protecting their Windows 10 v20H2 with 0patch will also receive our micropatches for "0day" vulnerabilities in various products.

In order to have our micropatches applied, Windows 10 v20H2 will have to have May 2023 Windows Updates (the last official updates for this version) installed.

We welcome all interested organizations to contact sales@0patch.com for information about pricing, deployment, or setting up a trial.

P.S.: We're getting close to Windows Server 2012 end of official support by Microsoft in October 2023. You guessed it, we're going to security-adopt this server as well, in case you're already getting nervous about that. This is a good time for you to start a free 0patch trial, so send an email to sales@0patch.com.

To learn more about 0patch, please visit our Help Center.

Monday, June 5, 2023

Micropatches Released For Remote Code Execution in Windows OLE (CVE-2023-29325)

May 2023 Windows Updates brought a fix for CVE-2023-29325, a remote code execution vulnerability in Microsoft OLE (Object Linking and Embedding). The vulnerability was reported to Microsoft by Will Dormann with Vul Labs.

Will found that two of the many COM objects installed on every Windows system by default merely have to be referenced by their respective CLSIDs in a rich text email for Outlook to experience an access violation exception.

There is almost no public information on what these two COM objects were intended to do on a Windows system, but since Microsoft's fix was to block them, they probably aren't essential to any important operation. While Microsoft appears to have blocked these offensive/vulnerable COM objects via COM activation filter, they provided no remedy for unsupported Windows versions such as Windows 7 or older Windows 10. Furthermore, still-supported Office versions were also patched to prevent usage of these two COM objects, but older versions like 2010 or 2013 weren't.

For our users of older Office versions on older Windows systems we therefore had to create a patch of our own.

Our patch does effectively the same as Microsoft's does on still-supported Office versions: if a COM object is referenced with one of the "offending" CLSIDs, object activation is prevented and instead of instantiating such object, Office just writes out the CLSID and the associated DLL name.

Let's see our micropatch in action. With 0patch disabled, opening a POC email immediately crashes Outlook. With 0patch enabled, Outlook displays an email with CLSID printed out in the body, but doesn't crash.

Micropatch Availability

Our micropatch was written for the following security-adopted versions of Office with all available updates installed:

Office 2010
Office 2013

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). No restart was needed, and Office got patched without relaunching even if it was running at the time.

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

To learn more about 0patch, please visit our Help Center.

We'd like to thank Will Dormann for sharing vulnerability details, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

Tuesday, May 30, 2023

Micropatches Released For "QueueJumper" Remote Code Execution in Microsoft Message Queuing (CVE-2023-21554)

April 2023 Windows Updates brought a fix for CVE-2023-21554, a remote code execution vulnerability in Microsoft Message Queuing Service. The vulnerability, nicknamed "QueueJumper" was reported to Microsoft by Wayne Low of Fortinet's FortiGuard Lab and Haifei Li with Check Point Research.

The first proof-of-concept became available on April 30, when Omair from Krash Consulting published it on GitHub. Another proof-of-concept by zoemurmure became available on May 18. Both of these made it possible for us to create a micropatch for this issue.

The vulnerability allows a remote unauthenticated attacker to cause memory corruption on a Windows computer running Microsoft Message Queuing Service, which can often be extended to executing arbitrary code on the computer. A detailed technical analysis (in Chinese) was provided by zoemurmure,

While still-supported Windows systems have already received the official vendor fix for this vulnerability, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patch prevents memory corruption in a similar way as Microsoft's. In this rare case, the vulnerable service must be restarted on Windows 10 in order for our patch to get applied because it employs the "arbitrary code execution" exploit mitigation that interferes with our operations. Mind you, Microsoft's patch requires a computer restart, but 0patch micropatches typically get applied without even relaunching vulnerable processes. This is not the case here, so make sure to restart the MSMQ service.

Let's see our micropatch in action. With 0patch disabled, the POC immediately crashes the Microsoft Message Queuing Service. With 0patch enabled, the attack doesn't work anymore because the invalid packet is detected and blocked by our patch.

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v21H1
Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 7 (without ESU, with ESU year 1, and with ESU year 2)
Windows Server 2008 R2 (without ESU, with ESU year 1, and with ESU year 2)

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

We'd like to thank Omair from Krash Consulting and zoemurmure for sharing their POCs, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

Wednesday, April 19, 2023

Micropatches for Local Privilege Escalation in Microsoft Installer (CVE-2023-21800)

February 2023 Windows Updates brought a fix for CVE-2023-21800, a vulnerability in Windows Installer that allows a local low-privileged attacker to run their code as Local System. The vulnerability was reported to Microsoft by Adrian Denkiewicz with Doyensec. Adrian subsequently wrote an article detailing the vulnerability, which allowed us to reproduce it and create a patch for our users.

The vulnerability is in one sense a typical symbolic link issue, the types of which we've been seeing in abundance in the past years, but it is also interesting because it includes a privileged process (msiexec.exe running as Local System) inheriting environment variables from the attacker's parent process. This is something we haven't seen before and it could generally be exploited in different interesting ways.

Adrian decided to exploit it by redefining the PROGRAMDATA environment variable and thereby "redirect the “All Users” profile to the arbitrary location which is writable by the [local attacker]." Installation of a product for all users usually includes creating files in All Users' Start Menu folder - which is normally write-protected against a local non-admin user, but by redirecting this folder to an attacker-controller location allows the attacker to create a symlink there and wait for the installer process to use this symlink. If the symlink points to some system file, this effectively means the installer process (running as Local System) will delete such system file.

Arbitrary file deletion can be turned into arbitrary code execution as Local System, as was first shown by Jonas Lykkegård in 2020 using Windows Error Reporting Service, and subsequently also by Abdelhamid Naceri using Windows Installer.

While still-supported Windows systems have already received an official vendor fix for this vulnerability, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patches add a check to the affected code to see if the path used for deleting a file contains a symlink. If it does, the operation is blocked (the file is not deleted).

Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

Windows 10 v2004
Windows 10 v1909
Windows 10 v1809
Windows 10 v1803
Windows 7 (without ESU, with ESU year 1, and with ESU year 2)
Windows Server 2008 R2 (without ESU, with ESU year 1, and with ESU year 2)

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

We'd like to thank Adrian Denkiewicz with Doyensec for sharing their POC, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

Wednesday, March 22, 2023

Micropatch for Microsoft Outlook Notification File NTLM Hash Theft (CVE-2023-23397, CVE-2023-29324)

March 2023 Windows Updates fixed CVE-2023-23397, a vulnerability in Microsoft Outlook that was found to be exploited in the wild since at least January this year. Microsoft revealed very little information but security researcher Dominic Chell of MDSec was quick to figure out what it was about and had a working exploit within hours of Microsoft's update release. Dominic's analysis was released soon thereafter, and POCs started cropping up all over the place.

The vulnerability allows an attacker to send the victim an email such that even without the victim reading this email, Outlook will try to play a notification sound from a file specified in attacker's email (weird, huh?). While the more playful among us would immediately think of rickrolling our friends, serious attackers could use this "feature" to extract victim's NTLM hash from their computer. Specifying a sound file on a network location such as \\attacker.com\hash_collector.mp3 would make user's Outlook send a network request to attacker's server, which would then request authentication, and user's computer would respond with user's NTLM hash. For some reason, this also works with hosts on the Internet, where NTLM hashes are usually not being sent.

The official patch from Microsoft surprisingly didn't just axe this weird feature, but rather limited the location of the notification sound that your email sender wants you to hear to Local Intranet and Trusted Zones - if the supplied path is elsewhere, no sound will be played. This means that an attacker can still make your Outlook send your NTLM hash to any computer in the local network without you being able to prevent that - which is great news for attackers sitting in your network trying to elevate their privileges and become you.

As a workaround in lieu of patching, Microsoft suggested users to "block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares." This mitigation was later found to be incomplete, as Windows automatically try to use WebDAV for accessing remote shares when an SMB connection attempt fails.

While still-supported Microsoft Office versions have already received an official vendor fix for this vulnerability, Office 2010 - which we have security-adopted - is also vulnerable. In order to protect our Office 2010 users, we have created our own micropatch for this vulnerability.

Our patch is different to Microsoft's, as we believe theirs unnecessary leaves an important part of attack surface open. We therefore decided to simply enforce the default notification sound and completely ignore what your sender wanted you to hear. Granted, if your eager admin has set up some custom sound file for Outlook notifications, our patch will play the default notification sound instead of that as well.

Update 5/10/2023: Our worries about Microsoft's patch turned out to be justified as Akamai researcher Ben Barnea found a simple way to bypass it. Adding a single back slash to the attacker-supplied path did the trick. Our patch blocks this bypass (assigned CVE-2023-29324) by design, so neither we nor our users have to do anything to remain protected against both the old and the new issue. We remain puzzled at Microsoft's insistence to keep this weird and attacker-friendly feature alive.

This is the source code of our patch. It merely overrides the provided sound file path with "reminder.wav", which is the default value for Outlook reminders.

MODULE_PATH "..\Affected_Modules\outlook.exe_14.0.7268.5000_Office-2010_64bit\outlook.exe"
PATCH_ID 1322
PATCH_FORMAT_VER 2
VULN_ID 7684
PLATFORM win64

patchlet_start
   PATCHLET_ID 1
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x51d260
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 0

   code_start

        call VAR
        dw __utf16__('reminder.wav'), 0 ; The default notification for Outlook 2010
   VAR:

        pop rsi

   code_end
patchlet_end

Micropatch Availability

The micropatch was written for the following security-adopted versions of Office with all available updates installed:

Microsoft Office 2010

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them. If you're using Office 2010, or soon-to-be-expired Office 2013 that goes out of support in April this year, 0patch will make sure such vulnerabilities won't be exploited on your computers - and you won't even have to know or care about updating.

To learn more about 0patch, please visit our Help Center.

We'd like to thank Dominic Chell for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

Update 5/10/2023: We'd also like to thank Ben Barnea for sharing the analysis of their patch bypass.

Thursday, March 9, 2023

Micropatches for Microsoft Word Remote Code Execution (CVE-2023-21716)

February 2023 Windows Updates brought a fix for CVE-2023-21716, a remote code execution vulnerability in Microsoft Word. The vulnerability was discovered and reported by security researcher Joshua J. Drake (Twitter, Mastodon), and subsequently published with a simple proof-of-concept.

The flaw is in Word's processing of an RTF file with an excessive number of font records, whereby a numeric operation with sign extension results in the code writing to an address outside the intended memory block. With sufficient heap grooming, arbitrary code execution could be possible upon user merely opening a malicious Word document, previewing it in Explorer's Preview Pane, or viewing a malicious email in Outlook. This vulnerability apparently goes back to Office 97.

Microsoft's patch for this issue is not subtle at all: when a sufficiently large number of font records (specifically, more than 32760) is detected in an RTF document, Word just terminates itself. This approach is not new and has reportedly been used before, but may have negative side effects such as lost data (Word crashing while editing an unsaved document) or being unable to use Outlook because it displays the malicious email every time you open it - and crashes.

Our patches are logically equivalent to Microsoft's patches for this issue.

MODULE_PATH "..\Affected_Modules\wwlib.dll_14.0.7268.5000_Office-2010_64bit\wwlib.dll"
PATCH_ID 1315
PATCH_FORMAT_VER 2
VULN_ID 7683
PLATFORM win64

patchlet_start
   PATCHLET_ID 1
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x2f3cd6
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 0
   PIT kernel32.dll!TerminateProcess,kernel32.dll!GetCurrentProcess

   code_start

        lea r9, [rsi+0Ah]        ; add 0Ah to the current font table index
        lea eax, [r9+8000h]        ; add 8000h
        cmp eax, 0FFFFh            ; check if sign extension would happen
        jbe CONTINUE               ; if not, continue normal execution

        call PIT_GetCurrentProcess ; retrieve a pseudo handle for the current process,
                                   ; currently -1, For compatibility with future operating
                                   ; systems, it is best to call GetCurrentProcess
                                   ; instead of hard-coding this constant value
        call PIT_ExploitBlocked    ; Exploit Blocked popup
        mov rcx, rax               ; handle (-1)
        mov rdx, 0xbadbaffa        ; exit code
        call PIT_TerminateProcess ; terminates the specified process and all of its threads

   CONTINUE:

   code_end
patchlet_end

Micropatch Availability

The micropatch was written for the following security-adopted versions of Office with all available updates installed:

Microsoft Office 2010

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

To learn more about 0patch, please visit our Help Center.

We'd like to thank Joshua J. Drake (Twitter, Mastodon) for sharing their POC, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.