Unpatched Windows 8.1 Hole Exposed

Tuesday, January 6, 2015 @ 06:01 PM gHale


There is a local privilege escalation vulnerability affecting Windows 8.1 and Google published details and a proof-of-concept (PoC).

The security hole ended up reported to Microsoft September 30 by Google’s Project Zero initiative. According to Project Zero’s disclosure policy, the details of a bug automatically become visible to the public after 90 days even if a patch is not available. After 90 days, the vulnerability becomes public.

RELATED STORIES
Router Flaw Found
Re-engaged: Multi GAE Sandbox Bypasses
Vulnerabilities with Google App Engine
Security Patch Boost for Flash Player

“On Windows 8.1 update the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext,” Google noted in its September 30 advisory.

“This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check,” the advisory continues.

The PoC published by Google leverages the User Account Control (UAC) feature in Windows, but researchers said this isn’t a flaw in UAC.

The PoC underwent testing on the 32-bit and the 64-bit versions of Windows 8.1. It’s possible the attack can also work on Windows 7 as well, but they have not conducted tests, researchers said.

Microsoft is working on an update that would address the security hole. However, the company said an attacker needs valid login credentials for the targeted device in order for the attack to work. Microsoft will release its next round of Patch Tuesday security updates January 13.



Leave a Reply

You must be logged in to post a comment.