Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

07:10 PM
Connect Directly

Researcher Developed New Kernel-Level Exploits for Old Vulns in Windows

Problem has to do with a print driver component found in all versions of Windows going back to Windows 7, security researcher from Singular Security Lab says at Black Hat Europe 2020.

A couple of vulnerabilities that a security researcher from China-based Singular Security Lab disclosed at this week's Black Hat Europe 2020 virtual event has highlighted once again why it's dangerous for organizations to underestimate the threat from old, overlooked bugs in commonly used software products.

The newly disclosed bugs exist in Windows code found in versions of the operating system, from the latest iteration of Windows 10 all the way back to at least Windows 7 from 2009. The privilege escalation bugs allow attackers a way to gain complete control of vulnerable systems.

Related Content:

7 Cool Cyberattack and Audit Tools to be Highlighted at Black Hat Europe

The Changing Face of Threat Intelligence

New on The Edge: 10 Ways Device Identifiers Can Spot a Cybercriminal

According to security researcher Rancho Han at Singular Security, the problem specifically exists in an old and barely known component in Windows kernel called user mode print driver (UMPD).

The driver consists of two main components: a printer graphics dynamic link library (DLL) that assists the graphics device interface in rendering a print job and sending the job to the print spooler; and a printer interface DLL that the spooler uses to notify the driver of print-related events, Han said in his Black Hat presentation.

The problem exists in the interaction between the UMPD and certain Windows kernel functions. According to Han, when a user initiates some kinds of print-related functions, the UMPD interacts with the graphics engine and receives what are known as "callbacks" from the kernel. The manner in which the interaction takes places gives attackers an opportunity to insert malicious code into the process, which is then executed at the Windows kernel level.

"When you create a user object in user space and when you create some functions to call back to user space, an attacker could … modify the object; when the kernel reuses the object, it could create many security issues," Han said.

Microsoft, which patched the issues months ago, has described the issue as an escalation of privilege vulnerability that an attacker already logged in to a vulnerable system would be able to exploit. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," Microsoft said in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

According to Microsoft, attacks targeting the vulnerability are hard to pull off and would require an adversary to invest considerable time understanding the targeting environment and in building out an attack. However, a successful attack could result in complete loss of confidentiality, system integrity, and availability, the software giant said.

Han's use of the Windows user-mode callback mechanism to launch kernel level attacks builds on previous work that security researcher Tarjei Mandt disclosed at Black Hat USA in 2011. That work resulted in as many as 44 privilege escalation vulnerabilities being subsequently patched,

Interestingly, the vulnerabilities that Han exploited are the result of a Microsoft effort to make Windows safer. Originally, printer driver modes were loaded into the Windows kernel. But starting with Windows Vista, Microsoft made a big change and began running the print drivers in user mode. "The change was made as a security enhancement," Han said. "Once moved to user mode, bugs in the printer driver would have a much-reduced security impact" compared with kernel-level drivers, he said.

However, the manner in which the kernel callbacks to user mode were implemented created an entirely new attack surface, the security researcher noted.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...