Thursday, December 12, 2024
HomeCVE/vulnerabilityWindows Zero-day Flaw Let Hackers Downgrade Fully Updated Systems To Old Vulnerabilities

Windows Zero-day Flaw Let Hackers Downgrade Fully Updated Systems To Old Vulnerabilities

Published on

SIEM as a Service

Every software and operating system vendor has been implementing security measures to protect their products.

This is due to the fact that threat actors require a lot of time to find a zero-days but require less time to find a readily available exploit for a vulnerable software.

This brought them to the thought where they started to Downgrade the latest versions to vulnerable versions.

- Advertisement - SIEM as a Service

An example of this is the BlackLotus UEFI BootKit malware which downgraded the Windows Boot Manager to a vulnerable version that can be exploited by CVE-2022-21894.

This vulnerability allows threat actors to bypass Secure Boot. Further, the threat actors were able to disable OS security mechanisms and maintain persistent access on the affected systems.

As a matter of fact, the BlackLotus UEFI Bootkit was capable of running on fully patched and up-to-date Windows 11 systems that have Secure Boot enabled.

Further, researchers were able to utilize this attack method and achieve privilege escalation and bypass security features. 

Overview

Cut shorting the complete research phase, a significant flaw was discovered which allowed the researchers to take full control of the process of Windows Update.

This also allowed the creation of Windows Downdate, a tool that can be used for downgrading updates and bypassing all verification steps including Integrity Verification and Trusted Installer Enforcement.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Additionally, after the downgrading of Critical OS components was achieved including DLLs, drivers and the NT kernel, the OS reported that it was fully updated and was unable to install future updates.

Moreover, the recovery and scanning tools were not able to detect the issues in the Operating System.

Further escalating this attack, the researchers successfully downgraded Credential Guard’s Isolated User Mode process, Secure Kernel, and Hyper-V’s hypervisor to expose past privilege escalation vulnerabilities.

Concluding the overview with the final discovery of multiple ways to disable Windows virtualization-based Security (VBS) including Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks.

The result of this attack resulted in a fully patched Windows machine that is vulnerable to thousands of previous patched vulnerabilities, changing fixed vulnerabilities to zero-days and still making the Operating System to think that it is “fully patched”.

Windows Update Architecture

According to the reports shared with Cyber Security News and the Windows Documentation, the Windows Update architecture consists of an update client and an update server.

The update client is usually enforced with Administrator privileges and the Trusted Installer is always enforced on the server side.

This provides the note that even Administrators and NT SYSTEM cannot modify the system files except by the Trusted Installer.

Windows update process (Source: Safebreach)

The Windows Update flow performs the following steps,

  • At first, the client asks the server to perform the update contained in an update folder
  • The server validates the integrity of the update folder
  • After verifying, the server operates on the update folder to finalize the update files which are saved to a server-controlled folder (cannot be accessed by the client)
  • The server saves an action to the server-controlled folder which is a list named “pending.xml” and it contains the update actions to perform including which files to update, the source and destination files, etc.
  • Finally, when the OS reboots, the action list is operated on, and the update actions are performed during the reboot. 
Update Methodology (Source: Safebreach)

Update Folder Investigation

This folder contains the update components, and each update component contains MUM (Windows Update Package file), manifest, differential, and catalog files. The files can be explained as follows:

  • MUM files – has Microsoft Update metadata and contain metadata information, component dependencies, installation order, etc.
  • manifest files – contain installation-specific information like file paths, registry keys, which installers to execute as part of the installation, and more.
  • differential files – these are delta files from base files. A base file plus a delta file would result in the full update file. 
  • catalog files – the digital signatures of the MUM and manifest files.

The things to note here is that Only Catalog files are signed and the Manifest and MUMs are not explicitly signed.

However, they are signed by the Catalogs. The differential files are not signed but they control the final update file content.

On researching further, the action list path in the registry had an interesting key named “PoqexecCmdline” which holds the executable that parses the list and the list path.

Further, it was also discovered that the Trusted Installer was not enforced on this key. This can be used to control all the update actions. 

Registry Targeting (Source: Safebreach)

Additionally, the pending.xml file provides the functionality of creating files, deleting files, moving files, hard-linking files, creating registry keys and values, deleting keys and values, and much more! To downgrade the patches, the source in the destination of the file action can be replaced.

Attack Methodology

Summarizing the research, there was no need for a malicious Trusted-installer elevation. The attack was actually performed with the help of Windows updates due to the fact that the three actions which are 

1. Setting the Trusted Installer service as Auto-Start, 

2. Adding pending.xml path in registry and 

3. Add pending.xml identifier in registry did not have Trusted Installer enforced. 

Introducing the update (Source: Safebreach)

Further adding to the attack is that the attack went in a legitimate way which was completely undetected.

Since it was an action to update the system, the system shows as “fully updated” which technically it is downgraded.

Persistence was achieved using the action list parser poqexec.exe file that was not digitally signed.

This poqexec.exe file can be supplied with empty updates which will install any newly available updates.

The main fact of this attack is that the actions performed cannot be reversed.

This is because the repair utility SFC.exe is not digitally signed which can also be supplied with a false patch that will not detect any corruptions.

In addition to this, the researchers were also able to 

  • Attack Windows VBS, 
  • Bypass VBS UEFI Lock, 
  • Target Secure Mode’s Isolated User Mode Processes, 
  • Target Secure Mode’s Kernel and 
  • Target Hyper-V’s Hypervisor

Microsoft issued two CVEs which are CVE-2024-21302 and CVE-2024-38202 along with an official response stating, “We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.”

Furthermore, the complete attack has been presented at Black Hat USA 2024 and a research paper was published.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...