Security researchers from Google’s Project Zero have disclosed a zero-day vulnerability yesterday (tracked as CVE-2020-17087) in the Windows operating system which is currently being exploited in the wild.
According to Google’s Project Zero security researchers Mateusz Jurczyk and Sergei Glazunov, the bug allows an attacker to escalate their privileges in Windows. Attackers are abusing the Windows vulnerability together with another Chrome zero-day (CVE-2020-15999), which Google disclosed and fixed last week. The vulnerability allows an attacker to escape Chrome’s sandbox, and run malware on the operating system.
As per the report, “The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape). The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue”.
Pseudocode for the vulnerable function.
NTSTATUS CfgAdtpFormatPropertyBlock(PBYTE SourceBuffer, USHORT SourceLength, PUNICODE_STRING Destination)
{
CONST USHORT DestinationSize = (USHORT)(6 * SourceLength);
PWCHAR OutputBuffer = BCryptAlloc(DestinationSize);
for (USHORT i = 0; i < SourceLength; i++) {
*OutputBuffer++ = "0123456789abcdef"[*SourceBuffer >> 4];
*OutputBuffer++ = "0123456789abcdef"[*SourceBuffer & 0xF];
*OutputBuffer++ = ' ';
SourceBuffer++;
}
Destination->MaximumLength = DestinationSize;
Destination->Length = DestinationSize - 2;
Destination->Buffer = OutputBuffer;
return STATUS_SUCCESS;
}
Source:bugs.chromium.org
The Google researchers have successfully tested PoC on an up-to-date build of Windows 10 1903 (64-bit) and said, the cng.sys flaw looks to have been present since at least Windows 7 which possibly impacts all Windows versions between Windows 7 and the most recent Windows 10 release.
In a tweet, Ben Hawkes said the zero-day vulnerability is expected to be patched on November 10, which is Microsoft’s next Patch Tuesday.
Qualys is currently monitoring this issue and will update this post if any patch, workaround or full working PoC becomes available. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2104