Thursday, April 4, 2024

Micropatches for Windows Local Session Manager Elevation of Privilege (CVE-2023-21771)

 


In December of 2022, Ben Barnea of Akamai posted an X thread about a bug they had found in Windows Local Service Manager (LSM) that can lead to local privilege escalation from regular user account to Local System. Ben discovered that code in LSM was missing a return value check after a call is made to RpcImpersonateClient to impersonate the caller: a failed impersonation attempt would therefore keep the code running as Local System.

After trying out several ideas to make the RpcImpersonateClient function fail, Ben succeeded with an interesting race condition trick, changing the caller's token after the call has been accepted by LSM, but before the impersonation is attempted.

Microsoft assigned this issue CVE-2023-21771, and issued a fix for it with January 2023 Windows Updates. 

Ben's X thread and proof of concept allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft. 


Microsoft's Patch

Microsoft patched this issue by adding a check for the return value of RpcImpersonateClient call, and skipping the processing if the call fails.


Our Micropatch

Our patch is logically identical to Microsoft's:



;XX-1665
MODULE_PATH "..\AffectedModules\lsm.dll_10.0.19041.1266_Win10-2004_64-bit_u2021-12\lsm.dll"
PATCH_ID 1725
PATCH_FORMAT_VER 2
VULN_ID 7813
PLATFORM win64
       
patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x58a63
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT lsm.dll!0x58a7a
    
    code_start
        
        cmp rax, 0x0        ;check if RpcImpersonateClient returned 0 for success
        jne PIT_0x58a7a     ;if not, jump to the error block
       
    code_end
patchlet_end

 

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 10 v21H1 - fully updated
  2. Windows 10 v2004 - fully updated
 
Older Windows 10 versions, Windows 7 and Server 2008 R2 were not affected by this issue. Newer Windows 10 versions received an official patch from Microsoft.
  
Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank  Ben Barnea of Akamai for sharing their analysis, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

 

Tuesday, April 2, 2024

Micropatches for Leaking NTLM Credentials Through Windows Themes (CVE-2024-21320)

 


January 2024 Windows Updates brought a patch for CVE-2024-21320, a privilege escalation vulnerability in Windows. The vulnerability allows a remote attacker to acquire user's NTLM credentials when the victim simply downloads a Theme file or views such file in a network folder.

Security researcher Tomer Peled of Akamai discovered this issue, reported it to Microsoft, and later published a detailed article along with a proof of concept. These allowed us to reproduce the issue and create a micropatch for users of legacy Windows systems, which are no longer receiving security updates from Microsoft. 


The Vulnerability

In short, the Theme file format allows a .theme file to specify two images, BrandImage and Wallpaper, which can also be on a remote network share and which Windows Explorer will automatically try to load when a Theme file is downloaded or displayed in a folder. A malicious Theme file could have these images point to a shared folder on attacker's computer, where user's NTLM credentials would be harvested and used for impersonating the user.

Note that Theme files are already generally considered "dangerous", and you cannot, for example, receive one as an email attachment through Outlook any more than you cannot receive an attached EXE file. This is for a good reason: a Theme file can specify a malicious screen saver, which is essentially an EXE file, so double-clicking such Theme file would be effectively as dangerous as double-clicking a malicious EXE. The vulnerability at hand, in contrast, is about simply downloading or viewing a Theme file in a folder, which is a much easier thing for an attacker to achieve than getting the user to actually apply a malicious theme.


Microsoft's Patch

As Tomer notes in their article, Microsoft patched this bug by implementing a registry value called DisableThumbnailOnNetworkFolder, which controls a security check for both image paths by calling PathIsUNC. In case DisableThumbnailOnNetworkFolder is 1 and PathIsUNC returns true, images are not loaded if located on a shared folder.


Our Micropatch

Our patch is logically identical to Microsoft's, only that the decision to block images on network path is hard-coded and not configurable via the registry. The patch consists of two small patchlets located in ThumbnailLoadImage and CFileSource::s_LoadPIDLFromPath functions of themeui.dll, both calling PathIsUNC and preventing the image from loading if its path is on a network share. 



;XX-1641
MODULE_PATH "..\AffectedModules\themeui.dll_6.1.7601.24260_Win7_32-bit_uNoESU\themeui.dll"
PATCH_ID 1718
PATCH_FORMAT_VER 2
VULN_ID 7812
PLATFORM win32
       
patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0xbb90
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT shlwapi.dll!PathIsUNCW,themeui.dll!0xbc00
    
    code_start
    
        push dword[ebp+0x8]  ;push patch string pointer as first arg
        call PIT_PathIsUNCW  ;call PathIsUNCW to check if the string from
                             ;the theme file is a UNC path
        cmp eax, 0x0         ;check if the function returned TRUE or FALSE
        jne PIT_0xbc00       ;if TRUE, jump to an error block
       
    code_end
patchlet_end

patchlet_start
    PATCHLET_ID 2
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x4bb7
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT shlwapi.dll!PathIsUNCW,themeui.dll!0x4c26
    
    code_start
    
        push dword[ebp-0x294] ;push patch string pointer as first arg
        call PIT_PathIsUNCW   ;call PathIsUNCW to check if the string from
                              ;the theme file is a UNC path
        cmp eax, 0x0          ;check if the function returned TRUE or FALSE
        jne PIT_0x4c26        ;if TRUE, jump to an error block
       
    code_end
patchlet_end


 

It is worth noting that neither Microsoft's nor our patch prevents the remote loading of these images in case the user actually opens a Theme file (e.g., by double-clicking on it) in order to apply the theme. While Windows do show a Mark-of-the-Web warning in such case for Theme files originating from the Internet, it would make little sense to add code for preventing NTLM leaks there because a malicious Theme file would probably install a malicious screen saver instead of just leak user's credentials.

Let's see our micropatch in action. 

The attacker's computer on the right side of the video is waiting to collect user's NTLM credentials. A Windows user on the left opens the Downloads folder where a malicious Theme file was previously automatically downloaded while they visited attacker's web site. With 0patch disabled, just viewing the Theme file in the Downloads folder results in Windows Explorer trying to load the two images from attacker's computer, resulting in their NTLM credentials being captured there.

With 0patch enabled, viewing a Theme file no longer results in leaking user's NTLM credentials.



Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H1 - fully updated
  2. Windows 10 v20H2 - fully updated
  3. Windows 10 v2004 - fully updated
  4. Windows 10 v1909 - fully updated
  5. Windows 10 v1809 - fully updated
  6. Windows 10 v1803 - fully updated
  7. Windows 7 - no ESU, ESU 1 to 3
  8. Windows Server 2012 - fully updated
  9. Windows Server 2012 R2 - fully updated
  10. Windows Server 2008 - no ESU, ESU 1 to 3
  
Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank  Tomer Peled of Akamai for sharing their analysis, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.