Saturday, September 7, 2024
HomeCVE/vulnerabilityBYOVDLL - A New Exploit That Is Bypassing LSASS Protection

BYOVDLL – A New Exploit That Is Bypassing LSASS Protection

Published on

In July 2022, Microsoft patched a well-known PPL bypass flaw, initially discovered by Ionescu and Forshaw. 

This allowed protection circumvention without kernel code execution, and this update now broke the PPLdump PoC.

SCRT Team researchers at Orange Cyberdefense recently discovered a new exploit that enables threat actors to bypass LSASS protection. This new exploit was dubbed “BYOVDLL” (Bring Your Own Vulnerable DLL).

- Advertisement - EHA

Technical Analysis

However, in October 2022 Gabriel Landau disclosed that the vulnerability remained un-patched through “Bring Your Own Vulnerable DLL” approach and successfully ran PPLdump without any necessary tweaks.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

This demonstration triggered interest in looking into arbitrary code execution in protected processes by different DLLs, especially not requiring system reboots against Microsoft’s attempted patching efforts.

PPLdump BYOVDLL (Source – SCRT)

Two tiers of Windows system protection, namely Protected Process (PP) and Protected Process Light (PPL), exist with different signers defining a grading or ranking of security.

LSASS, which is a PPL, proves to be a primary focus for in-memory credential extraction since it has a wider attack surface compared to the other high-level PPs.

KeyIso service within LSASS had two serious vulnerabilities:-

Exploiting these required loading vulnerable versions of both keyiso.dll and ncryptprov.dll into LSASS.

This was done through several steps such as changing registry settings to load a vulnerability keyiso.dll, extracting and properly signing the DLL, and then registering a custom Key Storage Provider to load a vulnerable ncryptprov.dll.

Notably, this exploit method bypassed Windows’ security measures without requiring rebooting the system, showing how sensitive the present balance is between making your systems secure while still having exploitable areas.

The successful execution of this exploit highlights persistent difficulties in defending critical system processes against sophisticated attack vectors like those targeting credential theft from seemingly protected processes.

Within the protected LSASS process, the exploit chain was tested successfully by employing vulnerable versions of keyiso.dll and ncryptprov.dll.

To circumvent PPL restrictions, which prevent loading unsigned DLLs, the original LoadLibraryW call was replaced with OutputDebugStringW. 

This change meant instead of relying on Process Monitor to detect filesystem events there could be an execution confirmation through DebugView.

Executing OutputDebugStringW from within LSASS (Source – SCRT)

The steps in exploiting involved restarting KeyIso service and registering a custom Key Storage Provider.

After executing the proof-of-concept code, the debug message “I’m in LSASS!!!” confirmed successful arbitrary code execution in this secure environment.

From BYOVDLL to arbitrary code execution within a protected LSASS process (Source – SCRT)

This demonstration proved that bringing your own vulnerable dll is a valid technique for re-introducing and exploiting patches against high-security vulnerabilities (CVE-2023-36906 and CVE-2023-28229).

Though only displaying a debug message, it also laid the foundation for more sophisticated exploitation techniques within secured processes.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...