Windows Zero-day Flaw Let Hackers Downgrade Fully Updated Systems to Old Vulnerabilities

Every tool and working machine vendor has been enforcing security measures to guard their products. Right here is because threat actors require lots of time to ranking a 0-day nonetheless less time to ranking a readily on hand exploit for weak tool. This led them to the conception that they’ll also restful Downgrade basically the most contemporary variations to weak variations.

An instance of here is the BlackLotus UEFI BootKit malware, which downgraded the Dwelling windows Boot Manager to a weak model that CVE-2022-21894 can exploit.

This vulnerability permits threat actors to circumvent Acquire Boot. The threat actors hold been also able to disable OS security mechanisms and preserve continual access to the affected programs.

As a topic of truth, the BlackLotus UEFI Bootkit became once able to running on fully patched and up-to-date Dwelling windows 11 programs that hold Acquire Boot enabled. Additional, researchers hold been able to expend this attack device and carry out privilege escalation and bypass security aspects.

Dwelling windows Zero-day Downgrade Attack

Cut shorting your total analysis fragment, a vital flaw became once discovered which allowed the researchers to take hold of fat succor a watch on of the activity of Dwelling windows Exchange. This also allowed the introduction of Dwelling windows Downdate, a instrument that would possibly perchance well even be used for downgrading updates and bypassing all verification steps including Integrity Verification and Relied on Installer Enforcement.

Furthermore, after the downgrading of Serious OS parts became once completed including DLLs, drivers and the NT kernel, the OS reported that it became once fully up to this level and became once unable to install future updates. Furthermore, the restoration and scanning instruments weren’t able to detect the flaws in the Working Plot.

Additional escalating this attack, the researchers efficiently downgraded Credential Guard’s Isolated User Mode activity, Acquire Kernel, and Hyper-V’s hypervisor to inform previous privilege escalation vulnerabilities.

This concludes the overview with the highest discovery of more than one systems to disable Dwelling windows virtualization-basically based Security (VBS), including Credential Guard and Hypervisor-Safe Code integrity (HVCI), even when enforced with UEFI locks.

The consequence of this attack resulted in a fully patched Dwelling windows machine that is weak to thousands of old patched vulnerabilities, altering fastened vulnerabilities to zero-days and restful making the Working Plot to direct that it’s “fully patched”.

Dwelling windows Exchange Architecture

Safebreach particulars the attack at Shaded Hat USA 2024. In accordance to the Dwelling windows Documentation, the Dwelling windows Exchange structure contains an update consumer and an update server.

The update consumer is continuously enforced with Administrator privileges and the Relied on Installer is repeatedly enforced on the server facet. This gives the present that even Administrators and NT SYSTEM can’t regulate the machine files besides by the trusted Installer.

The Dwelling windows Exchange waft performs the next steps,

• In the starting up, the patron asks the server to make the update contained in an update folder
• The server validates the integrity of the update folder
• After verifying, the server operates on the update folder to finalize the update files, which would possibly perchance well presumably be saved to a server-managed folder (can’t be accessed by the patron)
• The server saves an action to the server-managed folder, which is a listing named “pending.xml,” and it contains the update actions to make, including which files to update, the source and run plan files, and so on.
• In the waste, when the OS reboots, the action listing is operated on, and the update actions are performed all by the reboot.

Exchange Folder Investigation

This folder contains the update parts, and every update ingredient contains MUM (Dwelling windows Exchange Package file), manifest, differential, and catalog files. The files can also be outlined as follows:

• MUM files – has Microsoft Exchange metadata and contains metadata records, ingredient dependencies, installation picture, and so on.
• manifest files – maintain installation-explicit records love file paths, registry keys, which installers to attain as fragment of the installation, and more.
• differential files – these are delta files from inferior files. A inferior file plus a delta file would result in the fat update file.
• catalog files – the digital signatures of the MUM and manifest files.

Point to that Only Catalog files are signed, and the Manifest and MUMs are no longer explicitly signed. Nonetheless, they are signed by the Catalogs. The differential files are no longer signed, nonetheless they succor a watch on the highest update file command material.

On extra analysis, the action listing path in the registry had a though-provoking key named “PoqexecCmdline,” which holds the executable that parses the listing and the listing path. Additional, it became once also discovered that the Relied on Installer became once no longer enforced on this key. This would possibly occasionally well even be used to manipulate the total update actions.

Furthermore, the pending.xml file gives the functionality of growing files, deleting files, transferring files, exhausting-linking files, growing registry keys and values, deleting keys and values, and heaps more and heaps more! To downgrade the patches, the source in the run plan of the file action can also be replaced.

Attack Methodology

Summarizing the analysis, there became once no need for a malicious Relied on-installer elevation. The attack became once unquestionably performed with the aid of Dwelling windows updates which means that of the truth that the three actions, which would possibly perchance well presumably be

1. Setting the Relied on Installer carrier as Auto-Commence up,
2. Adding pending.xml path in registry and
3. Add pending.xml identifier in registry didn’t hold Relied on Installer enforced.

Additional adding to the attack is that the attack went in a legitimate plot, which became once entirely undetected. Because it became once an action to update the machine, the machine reveals as “fully up to this level,” which technically is downgraded.

Persistence became once completed the utilize of the action listing parser poqexec.exe file that became once no longer digitally signed. This poqexec.exe file can also be supplied with empty updates, which is ready to install any newly on hand updates.

The important thing truth of this attack is that the actions performed can’t be reversed. Right here is since the restore utility SFC.exe is no longer digitally signed, and it would possibly perhaps perhaps also additionally be supplied with a false patch that’s no longer going to detect any corruption. As effectively as to this, the researchers hold been also able to

• Attack Dwelling windows VBS,
• Bypass VBS UEFI Lock,
• Goal Acquire Mode’s Isolated User Mode Processes,
• Goal Acquire Mode’s Kernel and
• Goal Hyper-V’s Hypervisor

Microsoft issued two CVEs, CVE-2024-21302 and CVE-2024-38202, along with an legitimate response stating, “We esteem the work of SafeBreach in figuring out and responsibly reporting this vulnerability by a coordinated vulnerability disclosure. We are actively growing mitigations to guard in opposition to these dangers while following a detailed activity keen a radical investigation, update construction across all affected variations, and compatibility sorting out to be sure maximized buyer security with minimized operational disruption.”