CyberWisdom Safe Harbor Commentary on Zero-Day in Windows Lockdown Policy
Project Zero hacker James Forshaw publicly disclosed this issue because, according to Google’s disclosure policy, the vulnerability was not fixed within 90 days.
Zero-day affects all UMCI-enabled versions of Windows 10, and Forshaw successfully used it on Windows 10S.
“By using .NET errors, arbitrary code execution (such as Device Guard) on UMCI-enabled systems can bypass the enabled Windows locking policy to check COM class instances,” pointed out Google’s security recommendations.
When a .NET COM object is instantiated, the zero-day defect is associated with the behavior of the locking strategy of the WLDP COM class.
The WLDP COM Class locking strategy contains a hard-coded list of 8 to 50 COM objects that can be instantiated by the heuristic scripting engine.
To prevent attacks, the proper implementation of the policy should check the CLSID and hard-coded list passed to DllGetObject while registering the existing DLL.
“The WLDP COM Class locking strategy contains a hard-coded list of 8 to 50 COM objects that can be instantiated by the heuristic scripting engine. Exclude issues related to finding the correct CLSID (eg previously reported on TreatAs case 40189 Abuse. “Continue analysis.
“This should not be a major issue, even if you can write to the registry to register an existing DLL under an allowed COM CLSID, because a well-behaved COM implementation should compare the CLSID passed to DllGetObject with its internal list of known objects. ”
Google experts found that when a .NET COM object is instantiated, the CLSID of the DllGetClassObject passed to mscoree is only used to find registration information in HKCR, the CLSID is discarded, and .NET objects are created.
This means that an attacker can add registry entries, including HKCU, which will load an arbitrary COM visible class under a trusted CLSID.
“This has a direct impact on class policies because it allows an attacker to add registry entries (including HKCU) that can load any COM visible class under one of the allowed CLSIDs because .NET doesn’t care if the .NET type has a This particular GUID, which you can use to guide arbitrary code execution, “continues analysis.
Windows locking policy
Google researchers released a vulnerability detection code consisting of two files:
A .INF to set the registry.
The .SCT created using the DotNetToJScript free tool can be used to load untrusted .NET assemblies into memory to display message boxes.
The researchers reported this vulnerability to Microsoft on January 19, but the technology giant did not mention it within 90 days.
“This issue was not fixed in Tuesday’s patch, so this issue has reached a deadline. This issue affects only Device Guard-enabled systems (such as Windows 10S) and is only implemented as a persistent code on such a computer. This is not a problem that can be used remotely, nor a privilege escalation, “the expert added.
Experts stress that attackers need access to the system to exploit vulnerabilities and install registry keys.
Google researcher has publicly disclosed a Windows 10 zero-day that could be exploited by attackers to bypass Windows Lockdown Policy on systems with User Mode Code Integrity (UMCI). Google has publicly disclosed a Windows 10 zero-day vulnerability that could be exploited by attackers to bypass Windows Lockdown Policy on systems with User Mode Code Integrity (UMCI) enabled Engaging post, Read More…
thumbnail courtesy of securityaffairs.co
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »