Thursday, November 28, 2024

Windows Server 2012 Mark of the Web Vulnerability (0day) - and Free Micropatches for it


Our researchers discovered a previously unknown vulnerability on Windows Server 2012 and Server 2012 R2 that allows an attacker to bypass a security check otherwise enforced by Mark of the Web on certain types of files.

Our analysis revealed this vulnerability was introduced to Windows Server 2012 over two years ago, and remained undetected - or at least unfixed - until today. It is even present on fully updated servers with Extended Security Updates.

We reported this issue to Microsoft, and, as usual, issued micropatches for it that will remain free until Microsoft has provided an official fix.

We are withholding details on this vulnerability until Microsoft's fix becomes available to prevent malicious exploitation.


Micropatch Availability

Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

Micropatches were written both for our:

 Legacy Windows versions:

  1. Windows Server 2012 updated to October 2023
  2. Windows Server 2012 R2 updated to October 2023

 Windows versions still receiving Windows Updates:

  1. Windows Server 2012 fully updated with Extended Security Updates
  2. Windows Server 2012 R2 fully updated with Extended Security Updates

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

 

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.


Micropatches for "LNK Stomping" Windows Mark of the Web Security Feature Bypass (CVE-2024-38217)

 

September 2024 Windows Updates brought a patch for CVE-2024-38217 a.k.a. "LNK Stomping", a security bypass vulnerability allowing an attacker to prevent the "Mark of the Web" (MotW) being applied to a downloaded malicious file.

The vulnerability was reported by security researcher Joe Desimone with Elastic Security, who published a detailed analysis and shared a proof-of-concept. This allowed us to reproduce the issue and issue our own patches for it for various security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

The Vulnerability

Any downloaded file should get a Mark of the Web (a label in its alternate data stream marking its untrusted origin) and this also goes for LNK (Windows shortcut) files. A LNK file points to an executable file with optional parameters, such as powershell.exe or cmd.exe, which gets executed with optional command-line arguments when a user double-clicks the shortcut.

However, when a LNK file points to an executable file ending with some additional character (e.g., an extra dot), Windows automatically correct this by removing the extra character from the path and saving the corrected LNK file back to disk - removing the Mark of the Web in the process.

 

Microsoft's Patch

Microsoft patched this issue by modifying the CShellLink::_SaveAsLink function such that instead of calling SHCreateStreamOnFileW when saving a corrected LNK file, it now calls SHCreateStreamOnFileEx using an additional flag, which results in MotW not being deleted in the process.

Our Micropatch

Our patch is functionally identical to Microsoft's.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012, Server 2012 R2 - fully updated with no ESU
  11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
 
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Joe Desimone with Elastic Security for sharing their analysis and proof-of-concept, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

Monday, November 18, 2024

Fixing a Bunch of Scripting Engine Vulnerabilities by Disabling Just-In-Time Compiler (CVE-2024-38178)

 

August 2024 Windows Updates brought a patch for CVE-2024-38178, a remotely exploitable memory corruption issue in "legacy" Scripting Engine (JScript9.dll). This engine, while part of long-expired Internet Explorer, is still present on all Windows computers and can be invoked via various mechanisms, for instance from an Office document.

Subsequently, security researchers Hosu Choi and Minyeop Choi of S2W Talon published a detailed article, which included a short proof-of-concept script, allowing us to reproduce the issue and issue our own patches for it.

 

The Vulnerability

This is yet another vulnerability in JScript9.dll's Just-in-Time (JIT) compiler. We've patched these kinds of issues in JScript9 JIT before (CVE-2021-34480, CVE-2022-41128), and this issue is actually just a bypass for the latter's patch.

In a similar way as with CVE-2022-41128, exploitation is done by malicious JavaScript code rendered by JScript9.dll, which first forces Scripting Engine to switch to JIT by executing a very long loop, thereby triggering JIT optimization. The JIT'ed malicious function is written so that JIT compiler generates flawed code, which is then used for corrupting memory and finally executing attacker's code on user's computer.

We encourage you to read the SW2 Talon article for details.

 

Microsoft's Patch

Microsoft patched this issue with a substantial amount of additional code, and an extension of some data structures.

Our Micropatch

We usually create our patches to be logically identical, or at least similar to Microsoft's. However, in this case we decided to take a different approach: namely, while JIT-compiled code can be significantly faster than interpreted JavaScript bytecode, this effect is strongest on special cases that are typically not encountered in real-world use.

On the other hand, about 50% of all vulnerabilities in browsers are related to JIT, which led Microsoft to introduce a "Super Duper Secure Mode" to their Edge browser already back in 2021. This mode disables JIT, and as claimed in their article, "... we find that users with JIT disabled rarely notice a difference in their daily browsing."

So we decided to fix some past JIT-related vulnerabilities that we had no test cases for, and all future JIT-related vulnerabilities in Jscript9.dll - by simply disabling JIT. In contrast to Edge, Internet Explorer never had a switch to disable JIT, so we couldn't piggyback on that and had to find our own way. Our approach was to patch function NewFunctionCodeGen, which is called whenever some JavaScript code should be JIT compiled, such that it always returns an error - so the execution continues with JavaScript bytecode instead.

Our patch has a single CPU instruction, setting the return value of function NewFunctionCodeGen to 0. The calling function, checking for this error, does the rest of the work.



;XX-2521
MODULE_PATH "..\AffectedModules\jscript9.dll_11.00.22000.1641_Win11-21H2_64-bit_u2023-10\jscript9.dll"
PATCH_ID 2075
PATCH_FORMAT_VER 2
VULN_ID 7838
PLATFORM win64
       
patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x104183
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 5
    code_start
        mov rax, 0
        
    code_end
patchlet_end


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012 R2 - fully updated with no ESU
  11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
 
Interestingly, JScript9.dll on Windows Server 2012 (non-R2) does not seem to support JIT, so we didn't have to write a patch for it there.
 
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Hosu Choi and Minyeop Choi of S2W Talon for sharing their analysis and proof-of-concept, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.

Tuesday, November 12, 2024

Micropatches Released for Remote Registry Service Elevation of Privilege Vulnerability (CVE-2024-43532)

 


October 2024 Windows Updates brought a patch for CVE-2024-43532, a vulnerability in Windows Remote Registry Service that could allow an attacker with access to network communication between administrator's computer and computer under remote administration to hijack the network connection and obtain administrator's credentials. These could then be relayed to another server, for instance an Active Directory Certificate Server, and used for creating a new certificate for subsequent authentication.

Note that the official title of this issue ("Remote Registry Service Elevation of Privilege Vulnerability") is incorrect, as the vulnerability is not in the Remote Registry Service but rather in the remote registry client code, i.e., in the component that remotely connects to the Remote Registry Service on another computer. We're reluctantly keeping this title to avoid the risk of anyone thinking these are two separate issues.

Security researcher Stiv Kupchik of Akamai found this vulnerability and reported it to Microsoft. Subsequently, Stiv published a detailed article and provided a proof-of-concept tool.

 

The Vulnerability

The root cause of this vulnerability is the use of an insecure authentication level in a RpcBindingSetAuthInfo call (advapi32.dll) from function BaseBindToMachine, which provides user-supplied parameters that control the behavior of an RPC binding to the remote machine. 

The default behavior of the BaseBindToMachine call is to first try to bind to the RPC endpoint using named pipes and RPC_C_AUTHN_LEVEL_PKT_PRIVACY, but when that doesn't work, fall back to the vulnerable tcp_ip protocol with RPC_C_AUTHN_LEVEL_CONNECT - which provides no security. Because of the vulnerable RPC_C_AUTHN_LEVEL_CONNECT parameter, the tcp_ip biding can then be relayed to a different endpoint of attacker's choosing, while authenticating with victim's credentials.

Stiv Kupchik found one occurrence of the vulnerable RegConnectRegistryExW call in the registry editor application, but various other applications are likely to use remote registry connections in the same way.

 

Microsoft's Patch

Microsoft patched this issue by changing the default behavior of remote registry connections initiated through function BaseBindToMachine, but it also introduced new registry values that control the protocol fallback policy and security policy

Our Micropatch

Our patch is logically equivalent to enforcing the "patched" behavior of function BaseBindToMachine (i.e., when TransportFallbackPolicy is absent or set to 1 - DEFAULT), disabling the fallback functionality and only allowing remote registry connections over named pipes with RPC_C_AUTHN_LEVEL_PKT_PRIVACY.

Our patch has a single CPU instruction, whereby the pointer to the fallback protocol name is set to 0. Microsoft's original code in advapi32.dll then does the rest.



;XX-2562
MODULE_PATH "..\AffectedModules\advapi32.dll_10.0.19041.1052_Win10-2004_64-bit_u2021-12\advapi32.dll"
PATCH_ID 2029
PATCH_FORMAT_VER 2
VULN_ID 7839
PLATFORM win64
       
patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x42d9c
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
            
    code_start

        mov r15, 0x0    ;move 0 to r15 to replace the fallback protocol name pointer.

    code_end
patchlet_end


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012 (standard and R2) - fully udpated with no ESU
  11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
 
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Stiv Kupchik of Akamai for sharing their analysis and proof-of-concept, which made it possible for us to create a micropatch for this issue.

To learn more about 0patch, please visit our Help Center.