Windows 0-day drops the same day Microsoft releases record number of patches
Windows 0-day drops the same day Microsoft releases record number of patches
微软发布创纪录数量补丁当日,Windows 零日漏洞随之曝光
Right on the heels of Microsoft releasing a record number of security patches, a researcher has published exploit code that can enable low-privilege Windows accounts to make sensitive changes to administrator accounts. 就在微软发布创纪录数量安全补丁的紧要关头,一位研究人员发布了一段漏洞利用代码,该代码可使低权限的 Windows 账户对管理员账户进行敏感修改。
The exploit, which multiple researchers say works, is sending Microsoft scrambling, yet again, to patch a zero-day released by an anonymous researcher who has complained about the software maker’s handling of their bug reports. To date, the pseudonymous NightmareEclypse has published nine such exploits, including Tuesday’s HiveLegacy. The researcher said the proof-of-concept code included in the report was stripped down to prevent attackers from using it maliciously. 多位研究人员证实该漏洞利用有效,这再次让微软陷入手忙脚乱,不得不紧急修补这个由匿名研究人员发布的零日漏洞。该研究人员此前曾抱怨微软处理其漏洞报告的方式。截至目前,化名为“NightmareEclypse”的研究人员已发布了九个此类漏洞利用,其中包括周二发布的“HiveLegacy”。该研究人员表示,报告中包含的概念验证代码已进行了精简,以防止攻击者将其用于恶意目的。
A “pretty powerful primitive” HiveLegacy is an elevation-of-privilege exploit that targets a vulnerability residing in the Windows User Profile Service. It allows users (and with more work likely processes) with limited system rights to compromise an admin user’s account by modifying its classes registry hive, a resource that ensures the correct application opens when certain types of files are clicked on in Windows Explorer. “相当强大的原语”:HiveLegacy 是一种针对 Windows 用户配置文件服务(User Profile Service)漏洞的权限提升攻击。它允许权限受限的用户(经过进一步操作也可能包括进程)通过修改管理员账户的类注册表配置单元(classes registry hive)来入侵该账户。该资源用于确保在 Windows 资源管理器中点击特定类型文件时,能打开正确的应用程序。
At a minimum, that means the attacker can modify the Windows registry associated with an administrator account. As written, the exploit requires the attacker to know another user’s credentials. The account need not be admin. An attacker must also know the username of a third account, also with or without admin status, on the machine. 至少这意味着攻击者可以修改与管理员账户关联的 Windows 注册表。按照目前的写法,该漏洞利用要求攻击者知道另一个用户的凭据,且该账户无需是管理员。此外,攻击者还必须知道机器上第三个账户的用户名,该账户同样无需具备管理员权限。
“If I can set up the system so that it runs my code when the admin user logs in,” the attacker has de facto administrator privileges, Will Dormann, a senior principal vulnerability analyst at Tharros Labs, said in an interview. “I don’t need to be an admin myself.” Tharros Labs 的高级首席漏洞分析师 Will Dormann 在接受采访时表示:“如果我能设置系统,使其在管理员用户登录时运行我的代码,那么攻击者就实际上拥有了管理员权限。我自己并不需要成为管理员。”
In a post, he said that “the ability of a non-admin user to be able to modify the classes registry hive of an admin user is a pretty powerful primitive. Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don’t even require user interaction.” 他在一篇文章中写道:“非管理员用户能够修改管理员用户类注册表配置单元的能力,是一个相当强大的原语。聪明的攻击者或有特定目的的人,很容易就能想出如何利用它来做更有趣的事情,甚至无需用户交互。”
Dormann said that the exploit could possibly be chained to a separate one that gives direct access to an administrative account. As explained in a post by a different analyst: “When a new user is logging on, Windows needs to load the user’s class hive. Since the user isn’t logged on before logging on (tautology, I know), it can’t be loaded in the context of the user. So it is loaded in the context of NT AUTHORITY\SYSTEM. LegacyHive abuses this.” Dormann 表示,该漏洞利用可能与另一个漏洞串联,从而直接获取管理员账户的访问权限。正如另一位分析师在文章中所解释的那样:“当新用户登录时,Windows 需要加载该用户的类配置单元。由于用户在登录前并未登录(我知道这是同义反复),因此它无法在用户上下文中加载。所以它是在 NT AUTHORITY\SYSTEM 上下文中加载的。LegacyHive 正是利用了这一点。”
In an emailed statement, Microsoft said it’s aware of the vulnerability report and is investigating. The company also noted its preference that vulnerability reporters follow a coordinated disclosure policy. 微软在电子邮件声明中表示,已知悉该漏洞报告并正在进行调查。该公司还指出,希望漏洞报告者能够遵循协同披露政策。
For now, Windows users who want to protect their systems against HiveLegacy can run a detection script published by independent researcher Kevin Beaumont. Other defenses are to restrict local non-user account creation, monitor ProfSvc for unexpected hive loads, and track NTUSER.DAT/UsrClass.dat activity. 目前,希望保护系统免受 HiveLegacy 攻击的 Windows 用户可以运行独立研究员 Kevin Beaumont 发布的检测脚本。其他防御措施包括限制创建本地非用户账户、监控 ProfSvc 的异常配置单元加载,以及跟踪 NTUSER.DAT/UsrClass.dat 的活动。