The researcher equally good provided a Proof of Concept (PoC) plan for the vulnerability. Forshaw says that he has tested the PoC exclusively on an updated Windows 8.1 in addition to that it is unclear whether before versions, specifically Windows 7, are vulnerable.
Forshaw unearthed the põrnikas inwards September 2014 in addition to thereby notified on the Google Security Research mailing listing close the põrnikas on 30th September. Now, afterwards xc days disclosure deadline the vulnerability in addition to Proof of Concept plan was made populace on Wednesday.
The vulnerability resides inwards the business office AhcVerifyAdminContext, an internal business office in addition to non a populace API which genuinely checks whether the user is an administrator.
"This business office has a vulnerability where it doesn't correctly cheque the impersonation token of the caller to arrive at upwards one's hear if the user is an administrator," Forshaw wrote inwards the mailing list. "It reads the caller's impersonation token using PsReferenceImpersonationToken in addition to and thus does a comparing betwixt the user SID inwards the token to LocalSystem's SID."
"It doesn't cheque the impersonation marking of the token thus it's possible to larn an position token on your thread from a local organisation procedure in addition to bypass this check. For this utilization the PoC abuses the BITS service in addition to COM to larn the impersonation token but at that spot are likely other ways."
The PoC contains 2 plan files in addition to but about laid of instructions for executing the files which, if successful, lastly effect inwards the Windows figurer running equally an Administrator. According to the researcher, the vulnerability is non inwards Windows User Account Control (UAC) itself, but UAC is used inwards constituent to demonstrate the bug.
Forshaw tested the PoC on Windows 8.1 update, both 32 fight in addition to 64 fight versions, in addition to he recommended users to run the PoC on 32 bit. To verify perform the next steps:
- Put the AppCompatCache.exe in addition to Testdll.dll on disk
- Ensure that UAC is enabled, the electrical flow user is a split-token admin in addition to the UAC setting is the default (no prompt for specific executables).
- Execute AppCompatCache from the ascendance prompt amongst the ascendance trouble "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll".
- If successful in addition to thus the figurer should look running equally an administrator. If it doesn't operate kickoff fourth dimension (and you lot larn the ComputerDefaults program) re-run the exploit from 3, at that spot seems to live a caching/timing number sometimes on kickoff run.
Influenza A virus subtype H5N1 Microsoft spokesperson confirms the vulnerability in addition to says that it’s already working on a fix:
"We are working to unloose a safety update to address an Elevation of Privilege issue. It is of import to banker's complaint that for a would-be aggressor to potentially exploit a system, they would kickoff postulate to get got valid logon credentials in addition to live able to log on locally to a targeted machine. We encourage customers to proceed their anti-virus software upwards to date, install all available Security Updates in addition to enable the firewall on their computer."
At the fourth dimension of posting this article, there's no piece available in addition to all Windows 8.1 systems are vulnerable to hackers.
