Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/9/2020
07:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researcher Developed New Kernel-Level Exploits for Old Vulns in Windows

Problem has to do with a print driver component found in all versions of Windows going back to Windows 7, security researcher from Singular Security Lab says at Black Hat Europe 2020.

A couple of vulnerabilities that a security researcher from China-based Singular Security Lab disclosed at this week's Black Hat Europe 2020 virtual event has highlighted once again why it's dangerous for organizations to underestimate the threat from old, overlooked bugs in commonly used software products.

The newly disclosed bugs exist in Windows code found in versions of the operating system, from the latest iteration of Windows 10 all the way back to at least Windows 7 from 2009. The privilege escalation bugs allow attackers a way to gain complete control of vulnerable systems.

Related Content:

7 Cool Cyberattack and Audit Tools to be Highlighted at Black Hat Europe

The Changing Face of Threat Intelligence

New on The Edge: 10 Ways Device Identifiers Can Spot a Cybercriminal

According to security researcher Rancho Han at Singular Security, the problem specifically exists in an old and barely known component in Windows kernel called user mode print driver (UMPD).

The driver consists of two main components: a printer graphics dynamic link library (DLL) that assists the graphics device interface in rendering a print job and sending the job to the print spooler; and a printer interface DLL that the spooler uses to notify the driver of print-related events, Han said in his Black Hat presentation.

The problem exists in the interaction between the UMPD and certain Windows kernel functions. According to Han, when a user initiates some kinds of print-related functions, the UMPD interacts with the graphics engine and receives what are known as "callbacks" from the kernel. The manner in which the interaction takes places gives attackers an opportunity to insert malicious code into the process, which is then executed at the Windows kernel level.

"When you create a user object in user space and when you create some functions to call back to user space, an attacker could … modify the object; when the kernel reuses the object, it could create many security issues," Han said.

Microsoft, which patched the issues months ago, has described the issue as an escalation of privilege vulnerability that an attacker already logged in to a vulnerable system would be able to exploit. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," Microsoft said in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

According to Microsoft, attacks targeting the vulnerability are hard to pull off and would require an adversary to invest considerable time understanding the targeting environment and in building out an attack. However, a successful attack could result in complete loss of confidentiality, system integrity, and availability, the software giant said.

Han's use of the Windows user-mode callback mechanism to launch kernel level attacks builds on previous work that security researcher Tarjei Mandt disclosed at Black Hat USA in 2011. That work resulted in as many as 44 privilege escalation vulnerabilities being subsequently patched,

Interestingly, the vulnerabilities that Han exploited are the result of a Microsoft effort to make Windows safer. Originally, printer driver modes were loaded into the Windows kernel. But starting with Windows Vista, Microsoft made a big change and began running the print drivers in user mode. "The change was made as a security enhancement," Han said. "Once moved to user mode, bugs in the printer driver would have a much-reduced security impact" compared with kernel-level drivers, he said.

However, the manner in which the kernel callbacks to user mode were implemented created an entirely new attack surface, the security researcher noted.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19924
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
CVE-2020-20220
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20227
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
CVE-2020-20245
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20246
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.