The Google Project Zero team of budding member James Forshaw in 9 month 3 day 0 to Microsoft submitted the name“Windows: Elevation of Privilege inahcache. sys/NtApphelpCacheControl”security issues, and in Google's vulnerability disclosure period 9 0 days after, that is, 2 0 1 4 years 1 2 Month 2 9 day time of the 1 2 month 3 0 day disclosed this issue in detail.
Here you can see him for the issue of a simple Description and attack verification code: https://code.google.com/p/google-security-research/issues/detail?id=118
For this exploit to argue a lot, a lot of the audience in the debate about Microsoft and Google to treat the security vulnerabilities of practices, the 9 0-day open policy is reasonable, etc., there are also a lot of the art in the debate over this security issue is whether the strict sense of the privilege escalation vulnerabilities. The latter is a major cause of James Forshaw in a demonstration of this vulnerability, it is through this vulnerability to hijack the UAC to the default level automatically provide the right to Others program, which achieved at the default UAC settings under silence from the integrity level to start the high integrity level of the program.
Generally speaking, the Microsoft Security Response Center MSRC don't think UAC default level lower integrity level to higher integrity level tips to bypass part of the security vulnerability reference MSRC”how to define security vulnerabilities“ http://technet.microsoft.com/library/cc751383.aspx in.
Recently, however, the MSRC will also be something that can penetrate Internet Explorer protected mode PM or enhanced protected mode（EPM）sandbox security issues, is actually from low integrity level of penetration to the medium-integrity level of the problem as a security vulnerability to patch for CVE-2 0 1 4-6 3 4 9 a). So we'll set aside whether the security vulnerabilities of this dispute, in-depth analysis of this vulnerability relates to the principles and issues.
Vulnerability analysis, causes and the use of
This vulnerability of the essential Reasons for Google's this article A Brief Description has been speaking much more accurate, simple to say, is that NtApphelpCacheControl this system call, the caller Analog System permissions, not correctly identify the caller's Token, leading to its originally only to the administrator and system procedure call interface, can be low-privileged program misuse, and by means of the call-related mechanisms, the hijacking of high privilege program to achieve privilege elevation.
After reading this reason, you might have questions, this system call is doing what? What is Apphelp it? Tokens determine the specific where are the problems? Apphelp which of how the mechanism can be utilized, as well as how the hijacking of high privilege processes? Next the author will be in-depth introduction to the content, detailed answers to these questions.
1. Apphelp with NtApphelpCacheControl
In Windows 8.1 system, NtApphelpCacheControl this system call, as the name suggests, you can control the system Apphelp rules of fast cache data.
Apphelp is a Microsoft from the Windows XP operating system introduced a compatibility solution, the official name is”Application Compatibility Database”in the application compatibility database. This solution aims to reduce theoperating system