Monday, July 29, 2024

Patches for two Windows Bluetooth Vulnerabilities (CVE-2023-23388, CVE-2023-24871)




March 2023 Windows updated brought patches for two Windows Bluetooth vulnerabilities: CVE-2023-23388, a Windows Bluetooth Driver Elevation of Privilege Vulnerability, and CVE-2023-24871, a Windows Bluetooth Service Remote Code Execution Vulnerability. Both were reported to Microsoft by security researcher Miloš (a.k.a. goodbyeselene).

Miloš subsequently wrote a series of detailed articles and published POCs for these issues (POC 1, POC 2). These allowed us to reproduce both issues and create micropatches for affected legacy Windows systems, which are no longer receiving security updates from Microsoft. 


Windows Bluetooth Service Remote Code Execution Vulnerability (CVE-2023-24871)

This is a vulnerability inside of Microsoft's Low Energy Bluetooth implementation. The Windows.Internal.Bluetooth.dll library implements parsing and processing of Bluetooth data received locally or remotely. Bluetooth Low Energy implements a functionality called "Advertising" which, without going into too much detail, is a way of sending data packets to all participants. Advertising data can be sent by two events: LE Advertising Report and LE Extended Advertising Report. Bluetooth 5.0 introduced the new LE Extended Advertising Report, which now allows for a packet to contain more data (1650 bytes instead of 32, but split into multiple PDUs of 254 bytes). This can be exploited by an attacker to overflow a function that counts the number of advertising sections inside a packet, as the counter is an 8-bit integer. When the counter reaches 0xff, the next iteration overflows it to 0x00 (and continues to count as 0x01, 0x02, 0x03...) then the final value is used to allocate a memory buffer. When such buffer with insufficient size is used, an access violation occurs that could potentially be used for arbitrary code execution.

Microsoft patched this by limiting the advertising section counter to 0xff. If 0xff is reached, the parsing function now errors out and stops the exploit from continuing.

Our patch is logically identical to Microsoft's, and successfully stops the vulnerability from overflowing in function BthLELib_ADValidateEx.


Windows Bluetooth Driver Elevation of Privilege Vulnerability (CVE-2023-23388)

This issue also resides in Windows.Internal.Bluetooth.dll library. The root cause of this vulnerability is a signed comparison of a user-supplied value representing an operation number. If the passed value is a negative number, the original jge instruction treats this value as "not greater than or equal to 7" and continues with execution, leading to an access violation.

Microsoft patched this issue by replacing the signed comparison using jge with an unsigned comparison using jae. This effectively catches a negative number when comparing it to 7 (0 to 6 are valid operation numbers), and errors out.

We patched this similarly by injecting a jae instruction right after the original jge operation, leading to a logically identical behavior.


Micropatch Availability

Micropatches for CVE-2023-23388 were written for all affected security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 10 v21H1 - fully updated
  2. Windows 10 v2004 - fully updated
  3. Windows 10 v1909 - fully updated
  4. Windows 10 v1809 - fully updated
  5. Windows 10 v1803 - fully updated
Micropatches for CVE-2023-24871 were written for all affected security-adopted versions of Windows with all available Windows Updates installed:
  1. Windows 10 v21H1 - fully updated
  2. Windows 10 v2004 - fully updated
 
These micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Miloš (a.k.a. goodbyeselene) for sharing their analysis, POCs, and their prompt assistance with porting POCs to 32-bit systems, which all made it possible for us to create micropatches for these issues.

To learn more about 0patch, please visit our Help Center.

 

Tuesday, July 23, 2024

Micropatches Released for Windows MSHTML Platform Spoofing (CVE-2024-38112)

 


July 2024 Windows Updates brought a patch for CVE-2024-38112, a vulnerability in Windows that allows an attacker to create a Windows Internet Shortcut file (extension .url) that will look exactly like a PDF document, while clicking on it opens attacker's web page in Internet Explorer. The problem there is that Internet Explorer, which is still present on Windows computers and integrated into many applications, is easier to exploit as it has no real sandbox.

This issue was reported to Microsoft by Haifei Li with Check Point Research, whose researchers noticed it being used by threat actors. Haifei later wrote an article detailing the vulnerability, demonstrating how a malicious executable could be executed using this trick. In addition, exploitation of the same issue was also detected in the wild by Trend Micro; they, too, reported it to Microsoft.

Microsoft patched this by deleting a small piece of code from ieframe.dll which allowed for Internet Explorer to be launched via a URL file.

Unsupported Windows versions that we have security-adopted were also affected by this issue, so we created a micropatch for them. Our micropatch is logically equivalent to Microsoft's, containing a single JMP instruction to jump over the code that Microsoft removed on supported Windows versions.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated with no ESU, ESU 1/2/3
  10. Windows Server 2008 R2 - fully updated with no ESU, ESU 1/2/3/4
 
Micropatches have already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central with a free monthly trial, then install and register 0patch Agent (link in 0patch Central). Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Haifei Li with Check Point Research for sharing their analysis and POC, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.