The world arose on Tuesday for two new vulnerabilities – one in Windows and the other in Linux – that allow hackers with a vulnerable system to bypass OS security restrictions and access sensitive resources.
As operating systems and applications become more difficult to hack, successful attacks typically require two or more vulnerabilities. One vulnerability allows the attacker access to low privileged OS resources, where code can be executed or sensitive data can be read. The second vulnerability elevates that code execution or file access to OS resources reserved for password storage or other sensitive operations. The value of so-called local privilege escalation vulnerabilities, therefore, has increased in recent years.
Windows vulnerability came to light with an incident on Monday when a researcher observed what he believed was a coding regression in an upcoming Windows beta 11. The researcher found that the contents of the security account manager – the a database that stores user accounts and security descriptors for users on a local computer – can be read by users with limited system privileges.
That made it possible to extract cryptographically protected password data, discover the password used to install Windows, get the computer keys for the Windows data protection API – which can be used to decrypt private keys of encryption – and create an account on the vulnerable machine. The result is that the local user can raise the privileges up to System, the highest level in Windows.
“I don’t know the full range of the issue, but it’s too much to be a problem I think,” noted researcher Jonas Lykkegaard. “So no one has any doubt about what that means, it’s EOP for a SYSTEM for even sandboxed apps.”
yarh- for some reason on win11 the SAM file is now READ for users.
So if you have shadowvolumes enabled you can read the sam file like this:
I still don’t know the full range of the issue, but I think too much to not be a problem. pic.twitter.com/kl8gQ1FjFt
– Jonas L (@jonasLyk) July 19, 2021
Respondents to Lykkegaard pointed out that the behavior was not a regression introduced in Windows 11. Instead, the same vulnerability was present in the latest version of Windows 10. The Computer Emergency Ready Team The U.S. said the vulnerability is present when the Volume Shadow Copy Service – the Windows feature that allows the OS or applications to take “timely photos” of an entire disk without lock the file system – it is turned on.
The advice explained:
If a VSS shadow copy of the system drive is available, an underprivileged user can leverage access to these files to achieve a number of impacts, including but not limited to:
- Extract and leverage account password hashes
- Discover the original Windows installation password
- Acquire DPAPI computer keys, which can be used to decrypt all private computer keys
- Acquire a computer machine account, which can be used in a silver card attack
Note that VSS shadow copies may not be available in some configurations; however, simply having a drive system that is larger than 128GB in size and then performing a Windows Update or installing MSI ensures that a VSS shadow copy is created automatically. To verify that a system has VSS shadow copies available, run the following command from a privileged command:
vssadmin list shadows
Researcher Benjamin Delpy wera how the vulnerability can be exploited to obtain password hashes of other sensitive data:
Q: What can you do when you have it #mimikatz🥝 & any Read access on Windows system files such as SYSTEM, SAM and SECURITY?
A: Local Privilege Escalation 🥳
– 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
Currently, there are no patches available. A Microsoft representative said company officials are investigating the vulnerability and will take appropriate action as needed. The vulnerability is being monitored as CVE-2021-36934. Microsoft said here that exploits in the wild are “more likely.”
And you, Linux kernel?
Meanwhile, most versions of Linux are in the process of distributing a solution to a vulnerability revealed on Tuesday. CVE-2021-33909, as the security flaw is traced, allows an untrusted user to obtain smooth system rights by creating, mounting, and deleting a deep directory structure with a path length total exceeding 1GB and then open and read the
“We have exploited this uncontrolled writing off-limits and gained full root privileges on automated installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation,” researchers from Qualys, the firm security vulnerabilities. and created a proof code of the concept that exploits it, he wrote. “Other Linux distributions are certainly vulnerable, and can probably be exploited.”
The described Qualys exploitation comes with significant overhead, specifically approximately one million nested directories. The attack also requires about 5GB of memory and a million inodes. Despite the hurdles, a Qualys representative described the PoC as “extremely reliable” and said it would take about three minutes to complete.
Here is an overview of the exploitation:
1 / We mkdir () a deep directory structure (roughly 1M nested directories) whose total path length exceeds 1GB, we tie it up in a username space without privilege, and rmdir ) from.
2 / We create a thread that vmalloc () is a small eBPF program (via BPF_PROG_LOAD), and we block this thread (via userfaultfd or FUSE) after our eBPF program has been validated by the verifier eBPF core but before it is compiled by JIT from the core.
3 / We open () / proc / loan / mountinfo in our non-privileged username space and start reading () ing the long road of our assembled bind directory, thus writing the string ” // deleted “for an offset of exactly -2GB-10B below the start of a vmalloc () ated buffer.
4 / We arrange for this “// deleted” sequence to replace our validated eBPF program instruction (thus deleting the eBPF core verifier security checks) and change this script out of bounds not controlled in disclosure of information and in limited writing but controlled out of bounds.
5 / We transform this limited writing out of bounds into reading and arbitrary writing of the core memory by reusing the beautiful techniques of Manfred Paul btf and map_push_elem from:
Qualys has a separate writeup here.
People running Linux should check with the distributor to determine if patches are available to fix the vulnerability. Windows users should expect advice from Microsoft and external security experts.