Two-for-Tuesday vulnerabilities send Windows and Linux users into scramble

The world woke up on Tuesday with two new vulnerabilities, one in Windows and the other in Linux, that allow hackers with one foot in a vulnerable system to bypass operating system security restrictions and access sensitive resources.

As operating systems and applications become more difficult to hack, successful attacks typically require two or more vulnerabilities. A vulnerability allows an attacker to gain access to low-privilege operating system resources, where code can be executed or sensitive data can be read. A second vulnerability elevates code execution or file access to operating system resources reserved for storing passwords or other sensitive operations. The value of so-called local privilege escalation vulnerabilities has therefore increased in recent years.

Break windows

Windows vulnerability come to light by accident on Monday when a researcher observed what he believed to be a coding regression in a beta release of the upcoming Windows 11. The researcher discovered that the contents of the Security Account Manager, the database that stores user accounts and user security descriptors on local computer: Can be read by users with limited system privileges.

This made it possible to extract the cryptographically protected password data, discover the password used to install Windows, obtain the computer keys for the Windows Data Protection API, which can be used to decrypt the private encryption keys, and to create an account on the vulnerable machine. The result is that the local user can elevate their privileges to System, the highest level in Windows.

“I don’t know the full extent of the problem yet, but it’s too much not to be a problem I think,” noted researcher Jonas Lykkegaard. “Just so no one doubts what that means, it’s EOP to SYSTEM even for sandbox applications.”

People who responded to Lykkegaard pointed out that the behavior was not a regression introduced in Windows 11. Instead, the same vulnerability was present in the latest version of Windows 10. The US Computer Emergency Preparedness Team stated that the vulnerability is present when Volume Shadow Copy Service, the Windows feature that allows the operating system or applications to take “snapshots” of an entire disk without locking the file system, is enabled .

The notice explained:

If a VSS shadow copy of the system drive is available, an unprivileged user can exploit access to these files to achieve a number of impacts, including, but not limited to:

• Extract and mine account password hashes
• Find out the original Windows installation password
• Obtain DPAPI computer keys, which can be used to decrypt all computer private keys
• Obtain a computer machine account, which can be used in a money ticket attack

Note that VSS shadow copies may not be available in some configurations; However, just having a system drive larger than 128GB in size and then performing a Windows update or installing an MSI will ensure that a VSS shadow copy is automatically created. To check if a system has VSS shadow copies, run the following command from a privileged command prompt:
vssadmin list shadows

Researcher Benjamin Delpy shown how the vulnerability can be exploited to obtain password hashes of other sensitive data:

Currently, no patch is available. A Microsoft representative said company officials are investigating the vulnerability and will take appropriate action if necessary. The vulnerability is tracked as CVE-2021-36934. Microsoft said here that exploits in the wild are “more likely.”

And you, Linux kernel?

Most versions of Linux, meanwhile, are in the process of distributing a patch for a vulnerability revealed on Tuesday. CVE-2021-33909, as the security breach is tracked, allows an untrusted user to gain unlimited system rights by creating, mounting, and deleting a deep directory structure with a path length total greater than 1 GB, then opening and reading the /proc/self/mountinfo drop off.

“We have successfully exploited this uncontrolled out-of-bounds write and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation,” researchers from Qualys, the security company that discovered the vulnerability. and created a proof of concept code that exploits it, wrote. “Other Linux distributions are certainly vulnerable, and possibly exploitable.”

The exploit described by Qualys comes with significant overhead, especially around 1 million nested directories. The attack also requires around 5 GB of memory and 1 million inodes. Despite the hurdles, a Qualys representative described the PoC as “extremely reliable” and said it took about three minutes to complete.

Here is an overview of the feat:

1 / We mkdir () a deep directory structure (about 1M nested directories) whose total path length exceeds 1GB, we bind it to an unprivileged user namespace, and rmdir ().

2 / We create a thread which vmalloc () ate a small eBPF program (via BPF_PROG_LOAD), and we block this thread (via userfaultfd or FUSE) after our eBPF program has been validated by the eBPF checker of the kernel but before it is not JIT compiled by the kernel.

3 / We open () / proc / self / mountinfo in our unprivileged username space and start reading () the long path to our link-mounted directory, thus writing the string “// deleted” at an offset of exactly -2 GB- 10B below the start of a vmalloc () buffer.

4 / We make this “// deleted” string overwrite an instruction in our validated eBPF program (and thus override the security checks of the kernel eBPF checker) and turn that uncontrolled out-of-bounds write into an information disclosure and in a limited but controlled out-of-bounds write.

5 / We transform this limited out-of-bounds write into arbitrary kernel memory read and write by reusing Manfred Paul’s beautiful btf and map_push_elem techniques from:

https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification

Qualys has separate writing here.

People running Linux should check with the vendor to determine if patches are available to address the vulnerability. Windows users should wait for advice from Microsoft and external security experts.