Temporary micropatch available for zero-day Windows exploit

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
The patch source code.
Code:
;Micropatch for wer.dll version 10.17134.471
;
;How it works:
; a vulnerable call CreateFileW responsible for creating a temporary report XML file
; which inherits loose C:\ProgramData\Microsoft\Windows\WER\Temp\ permissions is replaced by
; a call to ConvertStringSecurityDescriptorToSecurityDescriptor which creates a new security
; descriptor from ACE string that gets supplied to a new CreateFileW call.
; The new security descriptor has no DELETE permissions for AuthenticatedUsers group
; on report XML so a regular user can no longer change it to a hard link.

MODULE_PATH "..\AffectedModules\wer.dll_10.17134.471_64bit\wer.dll"
PATCH_ID 344
PATCH_FORMAT_VER 2
VULN_ID 4657
PLATFORM win64

patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PIT kernel32.dll!CreateFileW,advapi32.dll!ConvertStringSecurityDescriptorToSecurityDescriptorA,kernel32.dll!LocalFree
PATCHLET_OFFSET 0x00059bd7
JUMPOVERBYTES 11
N_ORIGINALBYTES 2

 code_start

  mov qword [rsp+10h], r8 ; dwShareMode
  mov qword [rsp+8h], rdi ; storing a global variable
  mov qword [rsp], rcx    ; lpFileName
 
  call arg0_StringSecurityDescriptor

  ; args for ConvertStringSecurityDescriptorToSecurityDescriptor
  ; we changed (A;;0x13019f;;;AU) to (A;;GRSD;;;AU) - meaning
  ; AuthenticatedUsers can Read and Delete only
  db "D:(A;;FA;;;BA)(A;;GRGW;;;AU)(A;;0x13019f;;;SU)(A;;0x13019f;;;LS)(A;;0x13019f;;;NS)(A;;0x13019f;;;WR)(A;;0x13019f;;;AC)(A;;0x13019f;;;S-1-15-2-2)",0
 
  arg0_StringSecurityDescriptor:
  pop rcx ; rcx=arg0_StringSecurityDescriptor
 
  mov rdx, 01h ; arg1: StringSDRevision=SDDL_REVISION_1
 
  ;arg2: this arg is part of SECURITY_ATTRIBUTES struct so we have to create this first
                   ; sa requires 18h of space
  sub rsp, 20h     ; but we're allocating 8 more than required nLength to keep stack alignment
  lea r8, [rsp+8h] ;arg2: SecurityDescriptor=&sa.lpSecurityDescriptor
 
  ;init sa:
  mov dword [rsp],18h    ;sa.nLength = sizeof(SECURITY_ATTRIBUTES);
  mov dword [rsp+10h],1h ;sa.bInheritHandle=FALSE
 
  xor r9d,r9d ; SecurityDescriptorSize=NULL
 
  sub rsp, 20h ; allocate homespace
  call PIT_ConvertStringSecurityDescriptorToSecurityDescriptorA
 
  ;copy CreateFileW args 5,6 and 7 to a new stack frame
  mov rax, [rsp+60h] ; dwCreationDisposition
  mov qword [rsp],rax
  mov rax, [rsp+68h] ; dwFlagsAndAttributes
  mov qword [rsp+8h],rax
  mov rax, [rsp+70h] ; hTemplateFile
  mov qword [rsp+10h],rax
 
  ;obtain CreateFileW args 1,2,3,4
  mov rcx, [rsp+40h] ; lpFileName
  mov edx, 0C0000000h ; dwDesiredAccess
  mov r8, [rsp+50h] ; dwShareMode
  lea r9,[rsp+20h] ;lpSecurityAttributes
 
  sub rsp, 20h ; alloc homespace
  call PIT_CreateFileW
  mov [rsp+28h],rax ; store result
 
  ;free the security descriptor:
  mov rcx,[rsp+48h] ; sa.lpSecurityDescriptor
  call PIT_LocalFree ;LocalFree(sa.lpSecurityDescriptor)
  mov rax,[rsp+28h] ;restore result
  mov rdi,[rsp+68h] ;restore the global variable
  add rsp, 60h      ;restore stack
 
 code_end

patchlet_end
Source : 0patch Blog
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
They are just like hooks that are placed when host PC is online/running and patches are taken out of memory once shutdown. These are called micro-patches for a reason, they are small and don't need reboot and plays safe with all apps as it only patches the affected product or software.
And that is my problem. I don't trust hooks. 0patch hooks every process. It's even more problematic than AVs.
 

zzz00m

Level 6
Verified
Well-known
Jun 10, 2017
248
I think I will wait for MS to patch this one. It is a privilege escalation bug, which assumes that any attacker must have already compromised your system and taken control of an account. If that is the case, then you have other issues ... ;)

From the article:
Privilege escalation vulnerabilities do not allow hackers to break into computers remotely without user interaction. However, once attackers compromise a low-privileged account through some other method, like malware delivered via email, they can exploit such bugs to take full control of systems. SandboxEscaper has disclosed four Windows privilege escalation flaws since August and the first one, located in the Windows Task Scheduler, was quickly used by hackers in attacks before Microsoft was able to release a patch.

Fortunately, the AngryPolarBearBug is not as easy to exploit as the Windows Task Scheduler one because it is a race condition, so it takes multiple retries to succeed, and because attackers can't fully control the data with which files are being overwritten. The proof-of-concept released by SandboxEscaper overwrites a critical system file that’s needed during the Windows boot process, leading to a denial-of-service condition rather than to arbitrary code execution. However, this doesn't mean that achieving code execution is not possible.
 

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
625
There is exploit mitigation in most suites including Windows Defender but it’s not guaranteed to catch all exploits. Patching is still a must

Also in practice anti exploit would only cover user space exploits, kernel ones can only be patched in practice ( there’s GRSecurity for Linux that’s meant to be about prevention but adoption is low so there’s no way to evaluate how well it has worked ) . patches are released for both kernel and user space exploits though

If I were to choose between patching to latest without any security software or high tier security software and no patching I’d choose patching.
For moderate to low risk activities ( no pirated software, conservative browsing , only open emails from folks you know and open attachments only when you expect one ), a fully patched system is quite secure.

I agree best practice would be a good security suite plus installation of appropriate security patches and/or updates.
 
  • Like
Reactions: Weebarra

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Wouldn't a good security suite by a reputable vendor i e Kaspersky, Bitdefender, or Norton protect a system against this ZD exploit without patching?
We can hope so, but we can't be sure. However, a default/deny setup will prevent the initial infection that leads to this privilege escalation exploit. It is always best policy is to stop problems before they start. Relying on an AV is less than ideal, because any change in the file's composition could cause it not to be detected, and any change in the attack sequence could allow it to evade the AV's exploit-detection algorithm. With AV alone, you are always at risk from innovative malware.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
0patch is a boon for organisations that delay updates (potential vulnerability fixes) for months after they've been released.
For home users I see little value in it; most consumer vendors set their software to update automatically and patch known vulnerabilities in an acceptable time frame. Add to the fact that 0patch does nothing to safeguard against 0-day vulnerabilities being exploited, so you're still reliant on your existing real-time solution for protection in that regard.
 
  • Like
Reactions: Weebarra

pcuser88

Level 1
Sep 15, 2016
9
.. most consumer vendors set their software to update automatically and patch known vulnerabilities in an acceptable time frame.

This is not to defend using of 0Patch

That's putting a lot of faith on exactly the things that have been failing the Windows users. People who are familiar with shortcomings of the Windows 10 automatic update and (do I even have to say it?) especially Microsoft wouldn't set their system to update automatically. Acceptable time frame? You should see how the same users try every trick in the circle to postpone the updates. The longer it is the better for them.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
This is not to defend using of 0Patch

That's putting a lot of faith on exactly the things that have been failing the Windows users. People who are familiar with shortcomings of the Windows 10 automatic update and (do I even have to say it?) especially Microsoft wouldn't set their system to update automatically. Acceptable time frame? You should see how the same users try every trick in the circle to postpone the updates. The longer it is the better for them.
The issue is that your average Windows user doesn't know the risks of not updating their software. They hear update and think it's going to add or change something; they have no concept of patching vulnerabilities or exploits targeting those vulnerabilities. This obviously needs to change. People need to be educated and told that updating their software is fundamental to their system's security. Knowledgeable users need to point to WannaCry and tell them that's going to happen to them if they don't keep everything updated. If someone knows the risks of not updating and then still chooses not to do so then I'm perfectly okay with that, that's their prerogative, and if they get infected because of it then so be it, they knew the risks.

So as awful as software updates can be, I can't blame Microsoft for forcing their updates on users. Yes, updates should be better; they should be less frequent, should cause less breakages and they should come around at less inconvenient times, but abandoning updates is not the solution.
 
  • Like
Reactions: Weebarra

pcuser88

Level 1
Sep 15, 2016
9
The issue is that your average Windows user doesn't know the risks of not updating their software...

I take it that that's based on the idea that it's better to have updates than none at all. Considering what I read - or haven't read - about what new buggy Windows 10 updates are doing to the system of unsuspecting users every day, it is taking me a really long time to get to a yes or no.

So as awful as software updates can be, I can't blame Microsoft for forcing their updates on users.

In case you haven't got the idea, Microsoft forces updates on Windows 10 Home users because the latter are treated as guinea pigs. They are the advanced beta testers for the Pro and business package users. That's why Microsoft is forcing all users to upgrade to 10, and the Pro and business users have an option to delay their updates.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Considering what I read - or haven't read - about what new buggy Windows 10 updates are doing to the system of unsuspecting users every day, it is taking me a really long time to get to a yes or no.
We all suffer through Microsoft's garbage updates equally, but ultimately I see no point in complaining about them, because other than yelling at Microsoft about it there's nothing we can do. WannaCry was a blunt demonstration of what happens when people don't patch so it's a pointless argument whether to or not; you either deal with the potential breakages that updates bring or you deal with the potential infections that not updating entails.
 
Last edited:
  • Like
Reactions: Weebarra

pcuser88

Level 1
Sep 15, 2016
9
We all suffer through Microsoft's garbage updates equally, but ultimately I see no point in complaining about them..

This is the new - actually it's growing old now - business model. Complaining to Microsoft effectively supports its operations, whether users want to or not. If technical issues could break Microsoft, it would have been long gone.
 
  • Like
Reactions: Vasudev

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top