Attackers can downgrade Home windows kernel parts to bypass safety features akin to Driver Signature Enforcement and deploy rootkits on absolutely patched techniques.
That is attainable by taking management of the Home windows Replace course of to introduce outdated, weak software program parts on an up-to-date machine with out the working system altering the absolutely patched standing.
Downgrading Home windows
SafeBreach safety researcher Alon Leviev reported the replace takeover concern however Microsoft dismissed it saying that it didn’t cross an outlined safety boundary, though was attainable by gaining kernel code execution as an administrator.
Leviev on the BlackHat and DEFCON safety conferences this 12 months demonstrated that the assault was possible however the issue stays unfixed, leaving open the door for downgrade/version-rollback assaults.
The researcher revealed a software referred to as Home windows Downdate, which permits creating customized downgrades and expose a seemingly absolutely replace goal system to already fastened vulnerabilities by way of outdated parts, akin to DLLs, drivers, and the NT kernel.
“I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term “fully patched” meaningless on any Windows machine in the world” – Alon Leviev
Regardless of kernel safety enhancing considerably over time, Leviev managed to bypass the Driver Signature Enforcement (DSE) function, exhibiting how an attacker might load unsigned kernel drivers to deploy rootkit malware that disables safety controls and hides exercise that might result in detecting the compromise.
“In recent years, significant enhancements have been implemented to strengthen the security of the kernel, even under the assumption that it could be compromised with Administrator privileges,” Leviev says.
Whereas the brand new protections make it tougher to compromise the kernel, “the ability to downgrade components that reside in the kernel makes things much simpler for attackers,” the researcher explains.
Leviev named his exploitation technique “ItsNotASecurityBoundary” DSE bypass as it’s a part of the false file immutablity flaws, a brand new vulnerability class in Home windows described in analysis from Gabriel Landau of Elastic as a method to obtain arbitrary code execution with kernel privileges.
Following Landau’s report, Microsoft patched the ItsNotASecurityBoundary admin-to-kernel privilege escalation. Nevertheless, this does shield in opposition to a downgrade assault.
Concentrating on the kernel
In new analysis revealed immediately, Leviev exhibits how an attacker might exploit the Home windows Replace course of to bypass DSE protections by downgrading a patched part, even on absolutely up to date Home windows 11 techniques.
The assault is feasible by changing ‘ci.dll,’ a file chargeable for imposing DSE, with an unpatched model that ignores driver signatures, which primarily sidesteps Home windows’ protecting checks.
This alternative is triggered by the Home windows Replace, exploiting a double-read situation the place the weak ci.dll copy is loaded into reminiscence proper after Home windows begins checking the newest copy of ci.dll.
Supply: SafeBreach
This “race window” permits the weak ci.dll to load whereas Home windows thinks it has verified the file, therefore permitting unsigned drivers to be loaded onto the kernel.
Within the video beneath, the researcher demonstrates how he reverted the DSE patch by way of a downgrade assault after which exploited the part on a completely patched Home windows 11 23H2 machine.
Leviev additionally describes strategies to disable or bypass Microsoft’s Virtualization-based Safety (VBS) that creates an remoted setting for Home windows to guard important assets and securtiy belongings just like the safe kernel code integrity mechanism (skci.dll) and authenticated consumer credentials.
VBS usually depends on protections like UEFI locks and registry configurations to forestall unauthorized modifications, however it may be disabled if not configured with max safety (“Mandatory” flag) by performing focused registry key modification.
When partially enabled, key VBS recordsdata akin to ‘SecureKernel.exe’ will be changed with corrupt variations that disrupt VBS’s operation and open the best way for “ItsNotASecurityBoundary” bypass and to interchange ‘ci.dll’.
Supply: SafeBreach
Leviev’s work exhibits that downgrade assaults are nonetheless attainable by way of a number of pathways, even when they generally carry sturdy privilege stipulations.
The researcher highlights the necessity for endpoint safety instruments to intently monitor downgrade procedures, even these that don’t cross crucial safety boundaries.
