A couple of vulnerabilities that a security researcher from China-based Singular Security Lab disclosed at this week's Black Hat Europe 2020 virtual event has highlighted once again why it's dangerous for organizations to underestimate the threat from old, overlooked bugs in commonly used software products.
The newly disclosed bugs exist in Windows code found in versions of the operating system, from the latest iteration of Windows 10 all the way back to at least Windows 7 from 2009. The privilege escalation bugs allow attackers a way to gain complete control of vulnerable systems.
According to security researcher Rancho Han at Singular Security, the problem specifically exists in an old and barely known component in Windows kernel called user mode print driver (UMPD).
The driver consists of two main components: a printer graphics dynamic link library (DLL) that assists the graphics device interface in rendering a print job and sending the job to the print spooler; and a printer interface DLL that the spooler uses to notify the driver of print-related events, Han said in his Black Hat presentation.
The problem exists in the interaction between the UMPD and certain Windows kernel functions. According to Han, when a user initiates some kinds of print-related functions, the UMPD interacts with the graphics engine and receives what are known as "callbacks" from the kernel. The manner in which the interaction takes places gives attackers an opportunity to insert malicious code into the process, which is then executed at the Windows kernel level.
"When you create a user object in user space and when you create some functions to call back to user space, an attacker could … modify the object; when the kernel reuses the object, it could create many security issues," Han said.
Microsoft, which patched the issues months ago, has described the issue as an escalation of privilege vulnerability that an attacker already logged in to a vulnerable system would be able to exploit. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," Microsoft said in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
According to Microsoft, attacks targeting the vulnerability are hard to pull off and would require an adversary to invest considerable time understanding the targeting environment and in building out an attack. However, a successful attack could result in complete loss of confidentiality, system integrity, and availability, the software giant said.
Han's use of the Windows user-mode callback mechanism to launch kernel level attacks builds on previous work that security researcher Tarjei Mandt disclosed at Black Hat USA in 2011. That work resulted in as many as 44 privilege escalation vulnerabilities being subsequently patched,
Interestingly, the vulnerabilities that Han exploited are the result of a Microsoft effort to make Windows safer. Originally, printer driver modes were loaded into the Windows kernel. But starting with Windows Vista, Microsoft made a big change and began running the print drivers in user mode. "The change was made as a security enhancement," Han said. "Once moved to user mode, bugs in the printer driver would have a much-reduced security impact" compared with kernel-level drivers, he said.
However, the manner in which the kernel callbacks to user mode were implemented created an entirely new attack surface, the security researcher noted.