430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Security

Google discloses a Zero-Day Windows 8.1 flaw

Google Project Zero team has disclosed the details of an unpatched flaw affecting Windows 8.1 systems and reported to Microsoft in September. The experts at the Google Project Zero team have ethically disclosed the details of an unpatched Windows 8.1 vulnerability reported to Microsoft in September. The team has waited for 90 days before publicly disclose the […]

Google discloses a Zero-Day Windows 8.1 flaw

Google Project Zero team has disclosed the details of an unpatched flaw affecting Windows 8.1 systems and reported to Microsoft in September.

The experts at the Google Project Zero team have ethically disclosed the details of an unpatched Windows 8.1 vulnerability reported to Microsoft in September. The team has waited for 90 days before publicly disclose the details of the flaw in compliance with its disclosure policy.

“This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.”

Unfortunately, Microsoft still hasn’t issued a patch for the Windows 8.1 flaw that could be exploited by an attacker to elevate his privileges on a target machine to gain administrator access. Security experts believe that Microsoft will release a fix in the next set of Patch Tuesday security bulletins, which are scheduled for Jan. 13.

Windows 8 1

In order to exploit the vulnerability, the attackers need valid logon credentials to use locally.

According the Google researcher James Forshaw, the flaw affects the NtApphelpCacheControl system call that is used by Windows 8.1 systems for quick caching of application data. According to researchers, the system doesn’t validate correctly the user’s impersonation token, in particular it is not able to manage his privileges.

“It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check,” Forshaw wrote in an advisory on the Google vulnerability database. “For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.”

Forshaw explained that he wasn’t sure that the vulnerability affects also Windows 7 systems, he provided a proof-of-concept exploit code was tested only on Windows 8.1 update, on both 32- and 64-bit versions.

It’s unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable). No effort has been made to verify it on Windows 7. NOTE: This is not a bug in UAC, it is just using UAC auto elevation for demonstration purposes.” states the advisory.

Below the steps to follow to exploit the vulnerability on Windows 8.1 systems:

1) Put the AppCompatCache.exe and Testdll.dll on disk 2) Ensure that UAC is enabled, the current user is a

2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).

3) Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll”.

4) If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.

The PoC for the Windows 8.1 vulnerability is available at the following URL:

https://google-security-research.googlecode.com/issues/attachment?aid=1180000000&name=poc.zip&token=ABZ6GAcinCdBWFbys57rfNuyqfh9ME1_ug%3A1420225192253

The “Project Zero” started by Google involves a team of Star Hackers and Bug Hunters with the purpose to improve security of the Internet. Google hired a team of top security researchers that work to discover most severe security vulnerabilities in applications and services around the world and to fix them.

Pierluigi Paganini

(Security Affairs –  Windows 8.1, Google Project Zero)