{"id":15032,"date":"2019-04-08T12:00:52","date_gmt":"2019-04-08T20:00:52","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/04\/08\/news-8781\/"},"modified":"2019-04-08T12:00:52","modified_gmt":"2019-04-08T20:00:52","slug":"news-8781","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/04\/08\/news-8781\/","title":{"rendered":"From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw"},"content":{"rendered":"

Credit to Author: Eric Avena| Date: Mon, 25 Mar 2019 15:00:07 +0000<\/strong><\/p>\n

With Microsoft continuously improving kernel mitigations and raising the bar for exploiting native kernel components, third-party kernel drivers are becoming a more appealing target for attackers and an important area of research for security analysts. A vulnerability in a signed third-party driver could have a serious impact: it can be abused by attackers to escalate privileges or, more commonly, bypass driver signature enforcement\u2014without the complexity of using a more expensive zero-day kernel exploit in the OS itself.<\/p>\n

Computer manufacturers usually ship devices with software and tools that facilitate device management. These software and tools, including drivers, often contain components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel; even one flawed component could become the Achilles\u2019 heel of the whole kernel security design.<\/p>\n

We discovered such a driver while investigating an alert raised by Microsoft Defender Advanced Threat Protection<\/a>\u2019s kernel sensors. We traced the anomalous behavior to a device management driver developed by Huawei. Digging deeper, we found a lapse in the design that led to a vulnerability that could allow local privilege escalation.<\/p>\n

We reported the vulnerability (assigned CVE-2019-5241) to Huawei, who responded and cooperated quickly and professionally. On January 9, 2019, Huawei released a fix: https:\/\/www.huawei.com\/en\/psirt\/security-advisories\/huawei-sa-20190109-01-pcmanager-en.<\/p>\n

In this blog post, we\u2019d like to share our journey from investigating one Microsoft Defender ATP alert to discovering a vulnerability, cooperating with the vendor, and protecting customers.<\/p>\n

Detecting kernel-initiated code injections with Microsoft Defender ATP<\/h3>\n

Starting in Windows 10, version 1809, the kernel has been instrumented with new sensors designed to trace User APC code injection initiated by a kernel code, providing better visibility into kernel threats like DOUBLEPULSAR. As described in our in-depth analysis<\/a>, DOUBLEPULSAR is a kernel backdoor used by the WannaCry ransomware to inject the main payload into user-space. DOUBLEPULSAR copied the user payload from the kernel into an executable memory region in lsass.exe and inserted a User APC to a victim thread with NormalRoutine targeting this region.<\/p>\n

\"figure-01-WannaCry-user-APC-injection-technique-schematic-diagram\"<\/p>\n

Figure 1. WannaCry User APC injection technique schematic diagram<\/em><\/p>\n

While the User APC code injection technique isn\u2019t novel (see Conficker<\/a> or Valerino\u2019s earliest proof-of-concept<\/a>), detecting threats running in the kernel is not trivial. Since PatchGuard was introduced, hooking NTOSKRNL is no longer allowed; there\u2019s no documented way drivers could get notification for any of the above operations. Hence, without proper optics, the only sustainable strategy would be applying memory forensics, which can be complicated.<\/p>\n

The new set of kernel sensors aim to address this kind of kernel threat. Microsoft Defender ATP leverages these sensors to detect suspicious operations invoked by a kernel code that might lead to code injection into user-mode. One such suspicious operation, though not related to WannaCry, DOUBLEPULSAR, or other known kernel threats, triggered this investigation that led to our discovery of a vulnerability.<\/p>\n

Investigating an anomalous code injection from the kernel<\/h3>\n

While monitoring alerts related to kernel-mode attacks, one alert drew our attention:<\/p>\n

\"figure-02-2-Microsoft-Defender-ATP-kernel-initiating-code-injection-alert\"<\/p>\n

Figure 2. Microsoft Defender ATP kernel-initiating code injection alert<\/em><\/p>\n

The alert process tree showed an abnormal memory allocation and execution in the context of services.exe<\/em> by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.<\/p>\n

To get a better understanding of the observed anomaly, we looked at the raw signals we got from the kernel sensors. This analysis yielded the following findings:<\/p>\n