Two-by-Tuesday vulnerabilities send Windows and Linux users to battle

A cartoon padlock has been Photoshopped onto shiny computer chips.

The world woke up Tuesday to two new vulnerabilities, one in Windows and the other in Linux, that allow hackers with control over a vulnerable system to bypass operating system security restrictions and access confidential resources.

As operating systems and applications become more difficult to hack, successful attacks generally require two or more vulnerabilities. A vulnerability allows the attacker to access low-privilege operating system resources, where they can execute code or read sensitive data. A second vulnerability elevates code execution or file access to operating system resources reserved for password storage or other sensitive operations. Consequently, the value of so-called local privilege escalation vulnerabilities has increased in recent years.

Breaking windows

Windows vulnerability it came to light by accident on Monday when a researcher observed what he believed to be a coding regression in a beta version of the upcoming Windows 11. The researcher discovered that the contents of the security account manager—The database that stores user accounts and security descriptors for users on the local computer — could be read by users with limited system privileges.

That made it possible to extract cryptographically protected password data, discover the password used to install Windows, obtain the computer keys for the Windows Data Protection API, which can be used to decrypt private encryption keys, and create an account on the vulnerable machine. The result is that the local user can elevate privileges to System, the highest level in Windows.

“I don’t yet know the full extent of the problem, but I think it’s too much not to be a problem,” said researcher Jonas Lykkegaard. “Lest anyone have any doubts as to what this means, it is EOP to SYSTEM even for sandbox applications.”

Respondents to Lykkegaard noted that the behavior was not a regression introduced in Windows 11. Instead, the same vulnerability was present in the latest version of Windows 10. The US Computer Emergency Preparedness Team. saying that the vulnerability is present when the Volume Shadow Copy Service, the Windows feature that allows the operating system or applications to take “point-in-time snapshots” of an entire disk without locking the file system, is enabled.

The notice explained:

If a VSS snapshot of the system drive is available, an unprivileged user can take advantage of access to these files to achieve a number of impacts, including but not limited to:

  • Extract and leverage account password hashes
  • Find out the genuine Windows installation password
  • Get the DPAPI computer keys, which can be used to decrypt all private keys on the computer
  • Get a computer machine account, which can be used in a silver bill attack

Note that VSS snapshots may not be available in some configurations; however, simply having a system drive larger than 128GB and then performing a Windows update or installing an MSI will ensure that a VSS snapshot is taken. created automatically. To check if a system has VSS snapshots available, run the following command from a privileged command prompt:
vssadmin list shadows

Researcher Benjamin Delpy He showed How the vulnerability can be exploited to obtain password hashes or other sensitive data:

Currently, there is no patch available. A Microsoft representative said company officials are investigating the vulnerability and will take appropriate action as necessary. The vulnerability is tracked as CVE-2021-36934. Microsoft said here that exploits in nature are “more likely”.

And you, Linux kernel?

Meanwhile, most versions of Linux are in the process of rolling out a fix for a vulnerability revealed Tuesday. CVE-2021-33909, as the security flaw is tracked, allows an untrusted user to gain unrestricted system rights by creating, mounting, and deleting a deep directory structure with a total path length exceeding 1GB and then open and read the /proc/self/mountinfo proceedings.

“We successfully exploited this uncontrolled out-of-bounds script and gained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation,” researchers at Qualys, the security company that discovered the vulnerability. and created proof-of-concept code that exploits it, he wrote. “Other Linux distributions are certainly vulnerable and probably exploitable.”

The exploit described by Qualys comes with significant overhead, specifically about 1 million nested directories. The attack also requires around 5GB of memory and 1 million inodes. Despite the hurdles, a representative for Qualys described the PoC as “extremely reliable” and said it takes about three minutes to complete.

Here is an overview of the exploit:

1 / We make mkdir () a deep directory structure (about 1M nested directories) whose total path length exceeds 1GB, bind and mount it in a non-privileged user namespace, and rmdir ().

2 / We create a thread that vmalloc () is a small eBPF program (through BPF_PROG_LOAD), and we lock this thread (through userfaultfd or FUSE) after our eBPF program has been validated by the kernel’s eBPF checker but before it is JIT compiled by the kernel.

3 / We open () / proc / self / mountinfo in our unprivileged user namespace and start reading () the long path of our link-mounted directory, thus writing the string “// removed” with an offset of exactly -2GB- 10B below the beginning of a buffer modified with vmalloc ().

4 / We arrange for this “// removed” string to overwrite an instruction in our validated eBPF program (and thus bypass the kernel’s eBPF verifier security checks) and transform this uncontrolled out-of-bounds write into information disclosure and in a limited but controlled out-of-bounds writing.

5 / We transform this bound out of bounds write into arbitrary kernel memory read and write by reusing Manfred Paul’s beautiful btf and map_push_elem techniques from:

Qualys has a separate review here.

People running Linux should check with the vendor to determine if patches are available to correct the vulnerability. Windows users should expect advice from Microsoft and external security experts.

Leave a Reply

Your email address will not be published. Required fields are marked *