- Sep 13, 2014
- 874
Serious flaw affects Windows 8.1 - discovered by Google Security Research
"Platform: Windows 8.1 Update 32/64 bit (No other OS tested)
On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext.
This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways"...
The only question is whether it will be included in the next Patch Tuesday, which will be launched next January 13, or be thrown by a security update, which is published at any time.
Until the launch of Microsoft's security update is recommended that users keep their updated anti-virus and to maintain its active firewalls and ready to tackle the security problems.
"Platform: Windows 8.1 Update 32/64 bit (No other OS tested)
On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext.
This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways"...
The only question is whether it will be included in the next Patch Tuesday, which will be launched next January 13, or be thrown by a security update, which is published at any time.
Until the launch of Microsoft's security update is recommended that users keep their updated anti-virus and to maintain its active firewalls and ready to tackle the security problems.
Last edited:
