Posts Tagged ‘WindowsSecurity’
[DefCon32] DriverJack: Turning NTFS and Emulated ROFs into an Infection
Alessandro Magnosi, a security researcher at the British Standards Institute, unveils an innovative technique for loading malicious drivers on Windows 11 by exploiting NTFS features and emulated read-only filesystems (ROFs). His presentation at DEF CON 32 explores how advancements in Windows security, such as Driver Signature Enforcement (DSE) and Hypervisor-protected Code Integrity (HVCI), have pushed attackers to exploit new vulnerabilities. Alessandro’s work provides actionable detection strategies to counter these sophisticated threats.
Exploiting NTFS and ROFs
Alessandro introduces his DriverJack technique, which manipulates NTFS and emulated CDFS vulnerabilities to bypass modern Windows protections. By exploiting previously identified flaws in emulated filesystems, Alessandro demonstrates how attackers can covertly install malicious drivers. His approach, developed at the British Standards Institute, leverages these weaknesses to achieve persistence, evading detection mechanisms designed to thwart traditional malware deployment.
Bypassing Security Mechanisms
Delving deeper, Alessandro explains how DriverJack circumvents DSE and HVCI. He explores alternative malware delivery methods in usermode, integrating with tools like Kernel Driver Utility (KDU) and Canal Forge when HVCI is disabled. Alessandro highlights the challenges of exploiting modern CPUs, noting that outdated hardware exacerbates vulnerabilities, making timely updates critical for system security.
Detection and Mitigation Strategies
Alessandro provides practical Indicators of Compromise (IOCs), such as monitoring for privilege escalations to SYSTEM or TrustedInstaller, drive letter changes, and alterations in the NT object manager. He advocates for runtime hash verification of driver load events to detect discrepancies, ensuring robust defense against DriverJack. His publicly available proof-of-concept on GitHub empowers researchers to test and refine these countermeasures.
Strengthening System Defenses
Concluding, Alessandro urges organizations to prioritize hardware updates and implement cross-checks for driver integrity. His work underscores the evolving nature of cyber threats, encouraging the cybersecurity community to stay vigilant. By sharing DriverJack’s methodologies, Alessandro inspires proactive measures to safeguard Windows systems against emerging exploits.
Links:
[DefCon32] Process Injection Attacks with ROP
Advanced return-oriented programming (ROP) opens new frontiers in process injection, and Bramwell Brizendine and Shiva Shashank Kusuma, from Verona Lab, present a robust methodology to master it. Their talk details chaining complex Windows APIs via ROP, overcoming challenges like string comparison in memory-constrained environments. By introducing a universal solution for identifying target processes, Bramwell and Shiva provide reusable patterns for reliable injection, demonstrated through a live exploit of Winamp.
ROP Challenges in Process Injection
Bramwell outlines the intricacies of ROP-based process injection, which requires chaining multiple WinAPIs with precise parameter handling. Unlike traditional injection, ROP lacks direct string comparison capabilities due to missing gadgets. Their novel solution constructs an enumeration function purely in ROP, enabling precise identification of target processes like Winamp by process ID (PID), a breakthrough for reliable injection.
Building Reusable API Patterns
Shiva details their creation of diverse patterns for WinAPIs, leveraging the PUSHAD instruction for flexibility. For APIs lacking PUSHAD patterns, they employ a “sniper” approach, meticulously crafting alternatives. Their demo walks through injecting shellcode into Winamp, using CreateToolhelp32Snapshot, EnumProcesses, and CreateRemoteThread, with memory permissions adjusted via NtMapViewOfSection. This structured approach ensures reproducibility across different targets.
Practical Demonstration and Tools
The live demo showcases their ROP-based injection, starting with a snapshot of running processes, enumerating to find Winamp’s PID, and injecting shellcode via remote thread creation. Their ROProcket tool, designed for ROP and jump-oriented programming, supports this methodology, offering templates for researchers to adapt. Bramwell emphasizes the goal of providing a scalable framework, not just a one-off exploit.
Implications for Security Research
By sharing their patterns and tools, Bramwell and Shiva empower researchers to explore ROP-based injection systematically. They highlight the need for defenses against such techniques, as early-stage injections can evade EDR systems. Their work invites further innovation in ROP methodologies, urging the community to build on their open-source contributions for enhanced security testing.
Links:
[DefCon32] Sudos and Sudon’ts: Peering Inside Sudo for Windows
In a groundbreaking move, Microsoft introduced Sudo for Windows in February 2024, bringing a Unix-like privilege elevation mechanism to Windows 11 Insider Preview. Michael Torres, a security researcher at Google, delves into the architecture of this novel feature, exploring its implementation, inter-process communication, and potential vulnerabilities. Michael’s analysis, rooted in reverse engineering and Rust’s interaction with Windows APIs, uncovers security flaws that challenge the tool’s robustness. His open-source approach invites the community to scrutinize and enhance Sudo for Windows, ensuring it balances usability with security.
Understanding Sudo for Windows
Michael begins by demystifying Sudo for Windows, a utility designed to allow users to execute commands with elevated permissions directly from a non-elevated console. Unlike its Unix counterpart, it leverages User Account Control (UAC) for elevation and Advanced Local Procedure Call (ALPC) for communication between processes. Available in Windows 11 version 24H2, the tool supports three configurations: running commands in a new window, disabling input in the current window, or inline execution akin to Linux sudo. Michael highlights its open-source nature, hosted on GitHub, which enables researchers to dissect its codebase for potential weaknesses.
Security Implications and Rust Challenges
Delving into the technical intricacies, Michael examines how Sudo for Windows interoperates with Windows APIs through Rust, a language touted for memory safety. However, invoking native Windows APIs requires “unsafe” Rust code, introducing risks of memory corruption vulnerabilities—counterintuitive to Rust’s safety guarantees. He identifies non-critical issues reported to Microsoft’s Security Response Center (MSRC) and one embargoed vulnerability, emphasizing the need for rigorous scrutiny. For bug hunters, Michael advises focusing on unsafe Rust boundaries, where Windows API calls create exploitable seams.
Path Resolution and Process Coordination
Michael explores the path resolution process, critical for handling file and relative path inputs in Sudo for Windows. The tool’s reliance on ALPC for coordinating elevated and non-elevated processes introduces complexity, as it must maintain secure communication across privilege boundaries. Missteps in path handling or process elevation could lead to unintended escalations, a concern Michael flags for further investigation. His analysis underscores the delicate balance between functionality and security in this new feature.
Community Engagement and Future Directions
Encouraging community involvement, Michael praises the open-source release, urging researchers to probe the codebase for additional vulnerabilities. As Sudo for Windows rolls out to mainline Windows 11, its adoption could reshape administrative workflows, but only if security holds. He advocates for responsible bug hunting to prevent malicious exploitation, ensuring the tool delivers on its promise of seamless elevation without compromising system integrity.
Links:
[DefCon32] Windows Downdate: Downgrade Attacks Using Windows Updates
The notion of a “fully patched” system crumbles under the weight of downgrade attacks, as revealed by Alon Leviev, a self-taught security researcher at SafeBreach. His exploration of Windows Updates uncovers a flaw allowing attackers to revert critical components—DLLs, drivers, kernels, and virtualization stacks—to vulnerable versions, bypassing verification and exposing privilege escalations. Alon’s tool, Windows Downdate, renders the term “updated” obsolete, compromising systems worldwide.
Alon, a former Brazilian Jiu-Jitsu champion, leverages his expertise in OS internals and reverse engineering to dissect Windows Update mechanisms. Inspired by the BlackLotus UEFI bootkit, which bypassed Secure Boot via downgrades, he investigates whether similar vulnerabilities plague other components. His findings reveal a systemic design flaw, enabling unprivileged attackers to manipulate updates and disable protections like Virtualization-Based Security (VBS).
The implications are profound: downgraded systems report as fully updated, evade recovery tools, and block future patches, leaving them exposed to thousands of known vulnerabilities.
BlackLotus and the Downgrade Threat
Alon traces the research to BlackLotus, which exploited a patched Secure Boot flaw by reverting components. Secure Boot verifies boot chain signatures, but BlackLotus’s downgrade bypassed this, prompting Alon to probe Windows Updates for similar weaknesses.
He discovers that update packages, lacking robust validation, allow crafted downgrades. By manipulating update manifests, attackers revert critical files, exploiting old vulnerabilities without triggering alerts.
Compromising the Virtualization Stack
Targeting Hyper-V, Secure Kernel, and Credential Guard, Alon achieves downgrades that expose privilege escalations. VBS, designed to isolate sensitive operations, relies on UEFI locks, yet his methods disable these protections, a first in known research.
The attack exploits design flaws allowing less privileged rings to update higher ones, a remnant since VBS’s 2015 debut. Demonstrations show downgraded hypervisors, undermining Windows’ security architecture.
Restoration Vulnerabilities
A secondary flaw in update restoration scenarios amplifies the threat. Unprivileged users can trigger rollbacks, embedding malicious updates that persist across reboots. Recovery tools fail to detect these, as the system registers as compliant.
Alon’s Windows Downdate tool automates this, crafting updates that downgrade entire systems, from drivers to kernels, without administrative rights.
Industry Implications and Mitigations
The research exposes a gap in downgrade attack awareness. Alon urges thorough design reviews, emphasizing that unexamined surfaces, like update mechanisms, harbor risks. Linux and macOS may face similar threats, necessitating preemptive scrutiny.
Mitigations include enhanced validation, privilege restrictions, and monitoring for anomalous updates. His findings, shared responsibly with Microsoft, highlight the need for systemic changes to restore trust in patching.