The world woke up Tuesday to two new vulnerabilities—one in Windows and the other in Linux—that allow hackers with a toe in a vulnerable system to bypass OS security restrictions and access sensitive resources.
As systems and applications become harder to hack, successful attacks often require two or more vulnerabilities. A vulnerability allows an attacker to access low-privileged OS resources, where code may be executed or sensitive data may be read. The second vulnerability places that code execution or file access on OS resources reserved for password storage or other sensitive operations. The amount of so-called local interest enhancement deficiencies, accordingly, has increased in recent years.
The windows are covered come to light by accident on Monday when a researcher noticed what he believed to be a coding flaw in the upcoming beta version of Windows 11. The researcher found that the contents of security account manager— the database that stores user accounts and security definitions for users on the local computer — can be read by users with limited system privileges.
That makes it possible to extract cryptographically protected password data, discover the password used to install Windows, obtain computer keys for data security Windows API—which can be used to kill encryption keys write something private—and create an account on the secure device. The result is that the local user can elevate privileges all the way to Settings, the highest level in Windows.
“I don’t know the full extent of the issue yet, but it’s too big not to be a problem I think,” researcher Jonas Lykkegaard noted. “So no one is in doubt what this means, it is EOP to SYSTEM for even sand applications.”
yarh- for some reason on win11 the SAM file is now READ for users.
So if you have shadowvolumes enabled you can read the sam file like this:
I don’t know the full extent of the issue yet, but it’s too much to not be a problem I think. pic.twitter.com/kl8gQ1FjFt
— Jonas L (@jonasLyk) July 19, 2021
The people who responded to Lykkegaard pointed out that the behavior is not a bug built into Windows 11. Instead, the same vulnerability exists in the latest version of Windows 10. The US Computer Emergency Response Team tell that the vulnerability exists when the Volume Shadow Copy Service — a Windows feature that allows the OS or applications to take “snapshots” of an entire disk without locking the file system — is turned on.
The proposal explains:
If a VSS shadow copy of the system drive is available, an unprivileged user can use access to these files to achieve a number of effects, including but not limited to:
- Extract and balance account password hashes
- Find the original Windows installation password
- Collect DPAPI computer keys, which can be used to delete all computer private keys
- Get a computer account, which can be used in a silver ticket attack
Note that VSS shadow copies may not be available in some configurations; however, simply having a system drive larger than 128GB in size and then performing a Windows update or MSI installation will ensure that a VSS shadow copy will be created. automatically created. To check if a system has VSS shadow copies available, run the following command from an elevated command prompt:
vssadmin list shadows
Researcher Benjamin Delpy show how vulnerability can be used to collect password hashes or other sensitive data:
Q: What can you do when you have it #mimikatz🥝 & some access Read on Windows system files like SYSTEM, SAM and SECURITY?
A: Community Benefit Promotion 🥳
– 🥝🏳️🌈 Benjamin Delpy (@gentilkiwi) July 20, 2021
Currently, there is no patch available. A Microsoft representative said company officials are investigating the vulnerability and will take appropriate action as needed. The vulnerability is tracked as CVE-2021-36934. Microsoft said Here that exploits in the wild are “more likely.”
And soLinux kernel?
Most versions of Linux, meanwhile, are in the process of distributing a fix for a vulnerability reported on Tuesday. CVE-2021-33909, as tracked security flaw, allows an untrusted user to gain unfettered system privileges by creating, mounting, and deleting a deep process file with a total file size exceeding 1GB and then open and read the
“We succeeded in successfully building an unmanaged script and obtaining full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation,” researchers from Qualys , the security company that discovered the vulnerability. and create proof-of-concept code that exploits it, write. “Other Linux distributions are definitely vulnerable, and probably are.”
The described use of Qualys comes with a significant overhead, specifically roughly 1 million sequences. The attack also requires about 5GB of memory and 1 million inodes. Despite the hurdles, a Qualys representative described the PoC as “extremely reliable” and said it took about three minutes to complete.
Here is an overview of the abuse:
1/ A mkdir () is a deep directory (about 1M file size) if the total length exceeds 1GB, it is bound up with an unfile user namespace, and rmdir () it.
2/ We create a thread whose vmalloc() is a small eBPF program (via BPF_PROG_LOAD), and we block this thread (via userfaultfd or FUSE) after our eBPF program has been validated by the eBPF kernel verifier but before it is JIT-loaded by the kernel.
3/ We open () / proc / personal / mountinfo in the unprivileged user name field and start reading () the long path of the directory we entered, thus writing the string “// delete” to an offset of exactly -2GB – 10B below the order of a vmalloc() ated buffer.
4/ This “//delete” string is set to rewrite a process of the approved eBPF system (and thus to declare the security checks of the eBPF kernel eBPF processor) and reject the change that cannot be controlled outside the boundary into information display and into information display a limited but led out-of-boundary write.
5/ We convert a limited write to an arbitrary read and write of kernel memory using Manfred Paul’s beautiful btf and map_push_elem instructions from:
Qualys has a separate document Here.
People running Linux should check with the distributor to determine if patches are available to fix the vulnerability. Windows users should wait for advice from Microsoft and outside security experts.