Lucene search

threatpostTara SealsTHREATPOST:2AAD8D184B893593E4E3B11FE31F97B3
HistoryNov 02, 2020 - 2:57 p.m.

Unpatched Windows Zero-Day Exploited in the Wild for Sandbox Escape

Tara Seals

0.975 High




A high-severity Windows driver bug is being exploited in the wild as a zero-day. It allows local privilege escalation and sandbox escape.

The security vulnerability was disclosed by Google Project Zero just seven days after it was reported, since cybercriminals are already exploiting it, according to researchers.

The flaw (CVE-2020-17087) has to do with the way the Windows Kernel Cryptography Driver (cng.sys) processes input/output control (IOCTL), which is a system call for device-specific input/output operations and other operations that cannot be expressed by regular system calls.

“[Cng.sys] exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” according to the bug report, published on Friday. “We have identified a vulnerability in the processing of IOCTL 0x390400, reachable through [a] series of calls.”

With specially crafted requests, an attacker can trigger a pool-based buffer overflow, which leads to a system crash and opens the door for exploitation.

“The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,” the Project Zero team explained. “The integer overflow occurs in line 2, and if SourceLength is equal to or greater than 0x2AAB, an inadequately small buffer is allocated from the NonPagedPool in line 3. It is subsequently overflown by the binary-to-hex conversion loop in lines 5-10 by a multiple of 65536 bytes.”

The team put together a proof-of-concept exploit that shows the ease of triggering an attack. It worked on an up-to-date build of Windows 10 1903 (64-bit), but researchers said that the bug appears to affect Windows versions going back to Windows 7.

“A crash is easiest to reproduce with Special Pools enabled for cng.sys, but even in the default configuration the corruption of 64kB of kernel data will almost surely crash the system shortly after running the exploit,” according to Project Zero.

The director of Google’s Threat Analysis Group, Shane Huntley, said in the disclosure that the attacks are targeted and unrelated to any U.S. election-related targeting. Another Project Zero team member noted that Microsoft is expected to fix the bug on its next Patch Tuesday update, on Nov. 10.

Some quibbled with the short disclosure timeline, but Project Zero researchers Ben Hawkes and Tavis Ormandy defended the move on Twitter:

> The quick take: we think there’s defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable unlikely (so far it’s been used as part of an exploit chain, and the entry-point attack is fixed)
> — Ben Hawkes (@benhawkes) October 30, 2020

Ormandy noted, “Your attack is more likely to be detected if you attempt to use documented vulnerabilities, because people know what to look for. The other details of your attack will then be analyzed.”

Mateusz Jurczyk and Sergei Glazunov of Google Project Zero were credited with finding the bug.

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.