Attackers can downgrade Home windows kernel parts to bypass security measures corresponding to Driver Signature Enforcement and deploy rootkits on totally patched techniques.
That is attainable by taking management of the Home windows Replace course of to introduce outdated, weak software program parts on an up-to-date machine with out the working system altering the totally patched standing.
Downgrading Home windows
SafeBreach safety researcher Alon Leviev reported the replace takeover problem however Microsoft dismissed it saying that it didn’t cross an outlined safety boundary, though was attainable by gaining kernel code execution as an administrator.
Leviev on the BlackHat and DEFCON safety conferences this 12 months demonstrated that the assault was possible however the issue stays unfixed, leaving open the door for downgrade/version-rollback assaults.
The researcher revealed a instrument referred to as Home windows Downdate, which permits creating customized downgrades and expose a seemingly totally replace goal system to already fastened vulnerabilities by way of outdated parts, corresponding to DLLs, drivers, and the NT kernel.
“I used to be capable of make a completely patched Home windows machine vulnerable to previous vulnerabilities, turning fastened vulnerabilities unfixed and making the time period “totally patched” meaningless on any Home windows machine on the earth” – Alon Leviev
Regardless of kernel safety bettering considerably through the years, Leviev managed to bypass the Driver Signature Enforcement (DSE) characteristic, displaying how an attacker might load unsigned kernel drivers to deploy rootkit malware that disables safety controls and hides exercise that might result in detecting the compromise.
“Lately, vital enhancements have been applied to strengthen the safety of the kernel, even below the belief that it might be compromised with Administrator privileges,” Leviev says.
Whereas the brand new protections make it harder to compromise the kernel, “the power to downgrade parts that reside within the kernel makes issues a lot less complicated for attackers,” the researcher explains.
Leviev named his exploitation technique “ItsNotASecurityBoundary” DSE bypass as it’s a part of the false file immutablity flaws, a brand new vulnerability class in Home windows described in analysis from Gabriel Landau of Elastic as a approach to obtain arbitrary code execution with kernel privileges.
Following Landau’s report, Microsoft patched the ItsNotASecurityBoundary admin-to-kernel privilege escalation. Nevertheless, this does defend in opposition to a downgrade assault.
Focusing on the kernel
In new analysis revealed right now, Leviev reveals how an attacker might exploit the Home windows Replace course of to bypass DSE protections by downgrading a patched part, even on totally up to date Home windows 11 techniques.
The assault is feasible by changing ‘ci.dll,’ a file answerable for imposing DSE, with an unpatched model that ignores driver signatures, which basically sidesteps Home windows’ protecting checks.
This alternative is triggered by the Home windows Replace, exploiting a double-read situation the place the weak ci.dll copy is loaded into reminiscence proper after Home windows begins checking the newest copy of ci.dll.
Supply: SafeBreach
This “race window” permits the weak ci.dll to load whereas Home windows thinks it has verified the file, therefore permitting unsigned drivers to be loaded onto the kernel.
Within the video beneath, the researcher demonstrates how he reverted the DSE patch by way of a downgrade assault after which exploited the part on a completely patched Home windows 11 23H2 machine.
Leviev additionally describes strategies to disable or bypass Microsoft’s Virtualization-based Safety (VBS) that creates an remoted atmosphere for Home windows to guard important assets and securtiy belongings just like the safe kernel code integrity mechanism (skci.dll) and authenticated consumer credentials.
VBS usually depends on protections like UEFI locks and registry configurations to stop unauthorized modifications, however it may be disabled if not configured with max safety (“Obligatory” flag) by performing focused registry key modification.
When partially enabled, key VBS recordsdata corresponding to ‘SecureKernel.exe’ will be changed with corrupt variations that disrupt VBS’s operation and open the way in which for “ItsNotASecurityBoundary” bypass and to exchange ‘ci.dll’.
Supply: SafeBreach
Leviev’s work reveals that downgrade assaults are nonetheless attainable by way of a number of pathways, even when they generally carry robust privilege conditions.
The researcher highlights the necessity for endpoint safety instruments to carefully monitor downgrade procedures, even these that don’t cross essential safety boundaries.