{"id":7123,"date":"2017-03-27T07:03:35","date_gmt":"2017-03-27T15:03:35","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/27\/news-914\/"},"modified":"2017-03-27T07:03:35","modified_gmt":"2017-03-27T15:03:35","slug":"news-914","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/27\/news-914\/","title":{"rendered":"Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005"},"content":{"rendered":"<p><strong>Credit to Author: msft-mmpc| Date: Mon, 27 Mar 2017 15:00:01 +0000<\/strong><\/p>\n<p>On March 14, 2017, Microsoft released security bulletin <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-013.aspx\">MS17-013<\/a> to address CVE-2017-0005, a vulnerability in the Windows <em>Win32k<\/em> component that could potentially allow elevation of privileges.\u00a0A report from\u00a0a trusted partner identified\u00a0a zero-day exploit for this vulnerability. The exploit targeted\u00a0older versions of Windows and allowed\u00a0attackers to elevate process privileges on these platforms.<\/p>\n<p>In this article, we walk through the technical details of the exploit and assess the performance of tactical mitigations in Windows 10 Anniversary Update\u2014released in August, 2016\u2014as well as strategic mitigations like Supervisor Mode Execution Prevention (SMEP) and virtualization-based security (VBS). We also show how <a href=\"https:\/\/blogs.microsoft.com\/microsoftsecure\/2017\/03\/13\/whats-new-in-the-windows-defender-atp-creators-update-preview\/\">upcoming Creators Update enhancements<\/a> to Windows Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">Windows Defender ATP<\/a>) can detect attacker elevation-of-privilege (EoP) activity, including EoP activities associated with the exploit.<\/p>\n<h2>Zero-day elevation-of-privilege exploit<\/h2>\n<p>Upon review of its code, we found that this zero-day EoP exploit targets computers running Windows 7 and Windows 8. The exploit has been created so that it avoids executing on newer platforms.<\/p>\n<p>The exploit package unfolds in four stages:<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"321\" height=\"309\" class=\"alignnone size-full wp-image-11705\" alt=\"Execution stages of the exploit package and corresponding functionality\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/1-Execution-stages-of-the-exploit-package-and-corresponding-functionality.png\" \/><\/p>\n<p><em>Figure <\/em><em>1<\/em><em>.<\/em><em> Execution stages of the exploit package and corresponding functionality<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3>Stages 1 and 2 &#8211; Decryptor and API resolver<\/h3>\n<p>To protect the main exploit code, attackers have encrypted the initial stage PE file using AES-256 algorithm. To load code for the next stage, a password must be passed as a parameter to the main entry function. Using the <em><a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380202(v=vs.85).aspx\">CryptHashData<\/a><\/em> API, the password is used as a key to decrypt the loader for the next stage.<\/p>\n<p>Stage 2 acts as an intermediate stage where API resolution is performed. API resolution routines in this stage resemble how shellcode or position-independent code works.<\/p>\n<p>The following code shows part of the <em><a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms683212(v=vs.85).aspx\">GetProcAddress<\/a><\/em> API resolution routine. This code appears to obfuscate the succeeding payload and stifle analysis.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"655\" height=\"573\" class=\"alignnone size-full wp-image-11715\" alt=\"Locating kernel32!GetProcAddress location using EAT traverse\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/2-Locating-kernel32GetProcAddress-location-using-EAT-traverse.png\" \/><\/p>\n<p><em>Figure <\/em><em>2<\/em><em>.<\/em><em> Locating kernel32!GetProcAddress location using EAT traverse<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3>Stage 3 &#8211; Avoiding newer platforms<\/h3>\n<p>In stage 3, the exploit package performs environmental checks, specifically to identify the operating system platform and version number. The attacker ensures that the exploit code runs on vulnerable systems that have fewer built-in mitigations, particularly Windows 7 and Windows 8 devices.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"718\" height=\"695\" class=\"alignnone size-full wp-image-11725\" alt=\"Code that performs environmental checks\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/3-Code-that-performs-environmental-checks.png\" \/><\/p>\n<p><em>Figure <\/em><em>3<\/em><em>. Code that performs environmental checks<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Analysis of the exploit code reveals targeting of systems running specific versions of Windows:<\/p>\n<ul>\n<li>Major release version 5<\/li>\n<li>Major release version 6 and\u00a0minor version 0, 1, or 2<\/li>\n<\/ul>\n<p>These versions <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms724832(v=vs.85).aspx\">map to Windows operating systems<\/a> between Windows 2000 and Windows 8, notably excluding Windows 8.1 and Windows 10. Also, upon examination of its architecture-checking routine, we find that the exploit code targets 64-bit systems.<\/p>\n<p>The next stage payload is loaded through DLL reflection.<\/p>\n<p>&nbsp;<\/p>\n<h3>Stage 4 &#8211; Exploit routine<\/h3>\n<p>After the environmental checks, the attacker code begins actual exploit of the Windows kernel vulnerability CVE-2017-0005, resulting in arbitrary memory corruption and privileged code execution.<\/p>\n<h4><em>PALETTE.pfnGetNearestFromPalentry<\/em> corruption<\/h4>\n<p>Code execution in the kernel space is made possible by a corrupted pointer in the <em>PALETTE.pfnGetNearestFromPalentry<\/em> function. Microsoft security researchers have been closely tracking this exploitation technique, which is designed to execute code in the kernel courtesy of a malformed <em>PALETTE<\/em> object. Observed in an unrelated sample used during the <em>Duqu <\/em>incident, we have described this relatively old exploit technique in a <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference_slides\/2015\/OhFlorio-VB2015.pdf\">Virus Bulletin 2015 presentation<\/a>.<\/p>\n<p>The following snippet shows the corrupted state of the PALETTE function pointer:<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"763\" height=\"82\" class=\"alignnone size-full wp-image-11735\" alt=\"PALETTE.pfnGetNearestFromPalentry corruption\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/4-PALETTE.pfnGetNearestFromPalentry-corruption.png\" \/><\/p>\n<p><em>Figure <\/em><em>4<\/em><em>.<\/em><em> PALETTE.pfnGetNearestFromPalentry corruption<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>The exploit code calls the native API <em>NtGdiEngBitBlt <\/em>to trigger an <em><a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/hardware\/ff570642(v=vs.85).aspx\">win32k!XLATEOBJ_iXlate<\/a><\/em> function call that uses the corrupted handler. This passes the control flow to a previously allocated shellcode. As a comparison, the exploit code in the <em>Duqu<\/em> 2.0 case used a <em><a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/dd144903(v=vs.85).aspx\">GetNearestPaletteIndex<\/a><\/em> call from <em>Gdi32.dll<\/em> to pass execution to the corrupt callback handler. This difference clearly indicates that these two exploits are unrelated, despite similarities in their code\u2014similarities that can be attributed to the fact that these exploitation techniques are well-documented.<\/p>\n<p>The exploit uses dynamically constructed <em>syscall<\/em> code snippets to call native Windows APIs.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"460\" height=\"116\" class=\"alignnone size-full wp-image-11745\" alt=\"Dynamically constructed calls to kernel functions\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/5-Dynamically-constructed-calls-to-kernel-functions.png\" \/><\/p>\n<p><em>Figure <\/em><em>5<\/em><em>. Dynamically constructed <\/em><em>calls to kernel functions<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>During the execution of the shellcode, the call stack looks like following:<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"708\" height=\"344\" class=\"alignnone size-full wp-image-11755\" alt=\"Example of the call stack when passing control flow using the corrupted function handler\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/6-Example-of-the-call-stack-when-passing-control-flow-using-the-corrupted-function-handler.png\" \/><\/p>\n<p><em>Figure <\/em><em>6<\/em><em>. Example of the call stack when passing control flow using the corrupted function handler<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Once the shellcode is executed, the exploit uses a common token-swapping technique to obtain elevated, SYSTEM privileges for the current process. This technique is often observed in similar EoP exploits.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"808\" height=\"722\" class=\"alignnone size-full wp-image-11756\" alt=\"Token-swapping shellcode\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/7-Token-swapping-shellcode.png\" \/><\/p>\n<p><em>Figure <\/em><em>7<\/em><em>.<\/em><em> Token-swapping shellcode<\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>Mitigation and detection<\/h2>\n<p>As previously mentioned, this zero-day exploit does not target modern systems like Windows 10. If environmental checks in the exploit code are bypassed and it is forced to execute on such systems, our tests indicate that the exploit would be unable to completely execute, mitigated by additional layers of defenses. Let\u2019s look at both the tactical mitigations\u2014medium-term mitigations designed to break exploitation techniques\u2014as well as the strategic mitigations\u2014durable, long-term mitigations designed to eliminate entire classes of vulnerabilities\u2014that stop the exploit.<\/p>\n<h3>Tactical mitigation \u2013 prevention of <em>pfnGetNearestFromPalentry<\/em> abuse<\/h3>\n<p>The use of <em>PALETTE.pfnGetNearestFromPalentry<\/em> as a control transfer point has been tracked by Microsoft security researchers for quite some time. In fact, this method is on the list tactical mitigations we have been pursuing. In August 2016, with the Windows 10 Anniversary Update, Microsoft released tactical mitigation designed to prevent the abuse of <em>pfnGetNearestFromPalentry<\/em>. The mitigation checks the validity of <em>PALETTE<\/em> function pointers when they are called, ensuring that only a predefined set of functions are called and\u00a0preventing any\u00a0abuse of\u00a0the structure.<\/p>\n<h3>Strategic mitigations<\/h3>\n<p>Other than the described tactical mitigation, this exploit could also be stopped in Windows 10 by SMEP, ASLR improvements in Windows kernel 64-bit, and virtualization-based security (VBS).<\/p>\n<h4>Supervisor Mode Execution Prevention (SMEP)<\/h4>\n<p>SMEP is a strategic mitigation feature supported by newer Intel CPUs and adopted since Windows 8.<\/p>\n<p>With SMEP, bits in the page table entry (PTE) serve as <em>User\/Supervisor (U\/S) <\/em>flags that designate the page to be either in user mode or kernel mode. If a user-mode page is called from kernel-mode code, SMEP generates an access violation and the system triggers a bug check that halts code execution and reports a security violation. This mechanism broadly stops attempts at using user-mode allocated executable pages to run shellcode in kernel mode, a common method used by EoP exploits.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"750\" height=\"448\" class=\"alignnone wp-image-11795\" alt=\"SMEP capturing exploit attempt\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/8b-SMEP-capturing-exploit-attempt.png\" \/><\/p>\n<p><em>Figure <\/em><em>8<\/em><em>.<\/em><em> SMEP capturing exploit attempt<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Strategic mitigation like SMEP can effectively raise the bar for a large pool of attackers by instantly rendering hundreds of EoP exploits ineffective, including old-school exploitation methods that call user-mode shellcode directly from the kernel, such as the zero-day exploit for CVE-2017-0005.<\/p>\n<p>To check whether a computer supports SMEP, one can use the <a href=\"https:\/\/technet.microsoft.com\/en-us\/sysinternals\/cc835722.aspx\">Coreinfo<\/a> tool. The tool uses CPUID instructions to show the sets of CPUs and platforms that should support the feature. The following screen shows that the tested CPU supports SMEP. SMEP is supported on Windows 8 and later.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"746\" height=\"353\" class=\"alignnone size-full wp-image-11775\" alt=\"Coreinfo shows whether SMEP is enabled\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/9-Coreinfo-shows-whether-SMEP-is-enabled.png\" \/><\/p>\n<p><em>Figure <\/em><em>9<\/em><em>.<\/em><em> Coreinfo shows whether SMEP is enabled<\/em><\/p>\n<p>&nbsp;<\/p>\n<h4>Windows kernel 64-bit ASLR improvements<\/h4>\n<p>Although attackers are forced to work harder to create more sophisticated exploits with SMEP, we do know from studies shared in security conferences and documented incidents that there are ways to potentially bypass SMEP mitigation. These bypass mechanisms include the use of kernel ROP gadgets or direct PTE modifications through read-write (RW) primitives. To respond to these foreseeable developments in exploitation techniques, Microsoft has provided <a href=\"https:\/\/www.blackhat.com\/docs\/us-16\/materials\/us-16-Weston-Windows-10-Mitigation-Improvements.pdf\">Windows kernel 64-bit ASLR improvements<\/a> with the Windows 10 Anniversary Update and has made SMEP stronger with randomized kernel addresses, mitigating a bypass vector resulting from direct PTE corruption.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"496\" class=\"alignnone wp-image-11785\" alt=\"Windows Kernel 64-bit ASLR improvements\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/10-Windows-Kernel-64-bit-ASLR-improvements.png\" \/><\/p>\n<p><em>Figure <\/em><em>10<\/em><em>. Windows Kernel 64-bit ASLR improvements<\/em><\/p>\n<p>&nbsp;<\/p>\n<h4>Virtualization-based security (VBS)<\/h4>\n<p>Virtualization-based security (VBS) enhancements provide another layer of protection against attempts to execute malicious code in the kernel. For example, <a href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies\">Device Guard<\/a> blocks code execution in a non-signed area in kernel memory, including kernel EoP code. <a href=\"https:\/\/blogs.technet.microsoft.com\/ash\/2016\/03\/02\/windows-10-device-guard-and-credential-guard-demystified\/\">Enhancements in Device Guard<\/a> also protect key MSRs, control registers, and descriptor table registers. Unauthorized modifications of the CR4 control register bitfields, including the SMEP field, are blocked instantly.<\/p>\n<h3>Windows Defender ATP detections<\/h3>\n<p>With the upcoming Creators Update release,\u00a0Windows Defender ATP will be able to detect attempts at a SMEP bypass through CR4 register modifications. Windows Defender ATP will monitor the status of the CR4.SMEP bit and will report inconsistencies. In addition to this, Windows Defender ATP will detect token-swapping attempts by monitoring the state of the token field of a process structure.<\/p>\n<p>The following screenshot shows Windows Defender ATP catching exploit code performing the token-swapping technique to elevate privileges.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"491\" class=\"alignnone wp-image-11786 size-large\" alt=\"Detection of token-swapping technique on Windows Defender ATP\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/03\/11-Detection-of-token-swapping-technique-on-Windows-Defender-ATP-1024x491.png\" \/><\/p>\n<p><em>Figure <\/em><em>11<\/em><em>.<\/em><em> Detection of token-swapping technique on Windows Defender ATP<\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>Conclusion: resiliency with mitigation and behavioral detection<\/h2>\n<p>The zero-day exploit for CVE-2017-0005\u00a0shied away from\u00a0newer\u00a0systems because it would\u00a0have simply been stopped and would have only managed to get unnecessary exposure. Attackers are not as much focusing on legacy systems but\u00a0avoiding security\u00a0enhancements present in\u00a0modern hardware and\u00a0current platforms like Windows 10 Anniversary Update. While patches\u00a0continue to provide\u00a0single-point fixes for\u00a0specific vulnerabilities,\u00a0this attacker behavior\u00a0highlights how built-in exploit\u00a0mitigations\u00a0like SMEP, the ASLR improvements, and virtualization-based security (VBS)\u00a0are providing resiliency.<\/p>\n<p>Windows Defender ATP with Creators Update\u2014now available for <a href=\"https:\/\/blogs.microsoft.com\/microsoftsecure\/2017\/03\/13\/whats-new-in-the-windows-defender-atp-creators-update-preview\/\">public preview<\/a>\u2014extends defenses further by detecting exploit behavior on endpoints. With the upcoming enhancements, Windows Defender ATP could raise alerts so that SecOps personnel are immediately made aware of EoP activity and can respond accordingly. Read our previous post about <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/03\/08\/uncovering-cross-process-injection-with-windows-defender-atp\/\">uncovering cross-process injection<\/a>\u00a0to learn more about how Windows Defender ATP detects\u00a0sophisticated breach activity.<\/p>\n<p>In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit.\u00a0Comprehensive threat intelligence\u00a0about activity groups and their attack\u00a0methods are available to Windows Defender ATP customers.<\/p>\n<p>Windows Defender ATP is built into the core of Windows 10 Enterprise and can be <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">evaluated free of charge<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Matt Oh<\/strong><br \/> <em>Windows Defender ATP Research Team<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/03\/27\/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: msft-mmpc| Date: Mon, 27 Mar 2017 15:00:01 +0000<\/strong><\/p>\n<p>On March 14, 2017, Microsoft released security bulletin MS17-013 to address CVE-2017-0005, a vulnerability in the Windows Win32k component that could potentially allow elevation of privileges.\u00a0A report from\u00a0a trusted partner identified\u00a0a zero-day exploit for this vulnerability. The exploit targeted\u00a0older versions of Windows and allowed\u00a0attackers to elevate process privileges on these platforms. In this article, we&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10864,10760,11744,11137,11745,11018,11746,11747,10985,11748,11749,10761,11056,11580,10865,11581,11750],"class_list":["post-7123","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-advanced-persistent-threats","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-coreinfo","tag-creators-update","tag-cve-2017-005","tag-device-guard","tag-eop","tag-palette","tag-product-features-and-announcements","tag-smep","tag-virtualization-based-security","tag-windows-10","tag-windows-10-creators-update","tag-windows-defender-advanced-threat-protection","tag-windows-defender-atp","tag-zero-day-exploits","tag-zirconium"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7123"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7123\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7123"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}