Sophos Cloud Optix
A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.
The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.
The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.
There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:
- As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
- Right-click EUDC and choose permissions
- Choose the user whose account you are modifying and select Advanced
- Select Add and then type in the user’s name and click OK
- Click the Deny checkbox for Delete and Create Subkey
- Click all the OKs and Apply buttons to exit
The registry keys being changed by this mitigation should not impact a user’s ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.
The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.
Update: Sophos detects the proof of concept as Troj/EUDPoC-A. Stay tuned for further details as they become available.
I’ve also created this video showing how it works and what you can do.
Update: Microsoft fixed this vulnerability in bulletin MS11-011 in February of 2011.
exploit-db.com still has the source code. Get it while it's hot.
Added note, that 0-day exploit in Internet Explorer is looking increasingly useful. Would it be possible use that exploit (CVE: 2010-3962) in correspondence with this one? If so, god have mercy.
Unfortunately yes. The fact that the code is still available isn't necessarily a good thing, although once the cat is out of the bag you simply aren't likely to have a very happy cat.
Chester
Great vid but how do I lock down the kernal exploit in Windows XP, I looked at the registry and I don't have any user EUDC folders?
There is no UAC in Windows XP
The bug is in the Windows kernel, not UAC. The way the flaw works bypasses UAC so a user is not alerted to the fact that a non-privileged application is now running as system.
I am still investigating the flaw. I do not believe it entirely relies on these registry keys, but the proof of concept does. As more information becomes available I will likely post a follow-up blog entry with more details. Kernel bugs are sometimes tricky to work out all the ways they can be exploited and defended against.
Has there been any response from Microsoft yet? I've just checked the MSRC and SRD blogs, and there's nothing there. The list of security advisories [1] was last updated on the 9th.
Maybe all the security people are based in the US and have gone home for Thanksgiving?
[1] http://www.microsoft.com/technet/security/advisor…
Oddly they have only posted to Twitter. You can look them up as @MSFTSecResponse
Isn't blocking all writing to the registry for a user going to mean that there are lots of programs they can't run? Isn't the defence itself going to cause all kinds of headaches? If not that it looks easy to fix, but it doesn't **feel** like it can be that simple – there are surely plenty of things that programs have legitimate need to write (and later modify/delete) registry keys for?
The steps in the blog only prevent certain keys related to keyboard languages from being deleted and created by a user. It does not impact parts of the registry required for Windows to work properly.
I’m not a technical person in regards to my laptop. Though I avidely read everything you post. What can l do to protect my laptop?
Not much at this point. We are waiting to see what Microsoft recommends once they have had a chance to look at the flaw.
Uninstall Windows and install Linux.
Some people have loud mouths. Exploits like these should be kept private in VIP areas on forums. Stupid script kiddies talking to loud.
The UAC was never really a problem because binding a RAT to legit piece of software and ensuring it's FUD will fool 99% of people into allowing it to run.
Sophos, you're 10 steps behind us hackers. All of my latest exe's are undetectable by Sophos and other AV's.
We will always win 😀
I don't understand why you do it in the first place. No life?
Hackerdude, you're not the first person to create malicious scripts and yours probably aren't as "uber" as you self-proclaim them to be. Do something positive with your average skills mate and hop off the pedestal as it's probably kinda lonely up in your frustrated world.
Is there anyway to trace the hackers on this thread via ip address or some other means. Would be nice if you folks were to report them to proper authorities if at all possible.
where's Microsoft's webpage on this?
our computer shows the following after we found out it wasn't booting up " Load needed dll for kernel " when we try to use the window xp disk it says need administers password and their is none. Plus got to a point that is state now can not load file bootvid.dll , Could this be the virus your are talking about and can you help me to fix it. I can't get it to boot up pass the screen
Unfortunately it is not likely the cause of your trouble. You should likely contact a specialist to help you repair or clean your installation.
The last windows update for XP solved the problem in these last days, but the files to fix the problem were enough for only 24 hours. The virus, worm or malware already is up to date and the problem returned. We are out of the city now. To format is the only option to solve, but we can't copy our backup files to computer, for the virus stays in the files and return. Is possible be the US government using our computers to knock down the wikileaks?
Will this be patch in the latest Windows Update?
Ha ha…. Hackerdude is so awesome. She's so above everyone. I want to be him / her / it. Will you be my hero?
Tell me, did Mummy not buy you the BMX you wanted for your 10th birthday and you've never got over it? Do something positive with your self proclaimed "uber" scripting skills and get a counsellor, it will help with your inferiority complex.
Yippee for Hackerdude…
He graduated from 53-63-72-69-70-74-20-4b-69-64-64-69-65 to 55-62-65-72-20-53-63-72-69-70-74-20-4b-69-64-64-69-65
Perhaps he’ll decode this in the same amount of time it takes him to figure out what ID10T means.
What I do not understand is why MS is taking so long to use an Unix approach.