PoC Exploit Released for Windows 0-Day Downgrade Attack

by Esmeralda McKenzie
PoC Exploit Released for Windows 0-Day Downgrade Attack

PoC Exploit Released for Windows 0-Day Downgrade Attack

Windows 0-Day Downgrade Attack

A proof-of-notion (PoC) exploit has been publicly released for a pair of primary zero-day vulnerabilities in Microsoft Windows that enable a new “downgrade attack.” The flaws tracked as CVE-2024-38202 and CVE-2024-21302 had been in the initiating disclosed by SafeBreach researcher Alon Leviev at Murky Hat USA 2024 and DEF CON 32 earlier this month.

The vulnerabilities allow an attacker to adjust the Windows Change route of to stealthily downgrade a fully patched Windows system to an older, vulnerable convey. This effectively turns previously fastened security holes into exploitable zero-day vulnerabilities but again.

“As a result, I was in a convey to bag a fully patched Windows machine at probability of hundreds of previous vulnerabilities, turning fastened vulnerabilities into zero-days and making the length of time ‘fully patched’ meaningless on any Windows machine on this planet,” Alon Leviev of Safebreach defined in his celebrated evaluate.

Leviev has now released the PoC exploit, dubbed “Windows Downdate”, on GitHub. The instrument automates the exploitation of the two zero-days to clutch adjust of the Windows Change route of and craft “fully undetectable, invisible, power, and irreversible downgrades” on primary OS parts.

Windows Downdate is in a convey to circumvent integrity verification, Trusted Installer enforcement, and other security tests to downgrade core Windows DLLs, drivers, and even the NT kernel itself. It must additionally downgrade Credential Guard and Hyper-V parts to re-expose patched privilege escalation flaws.

google

Windows Downdate 21

The impact is severe – an attacker may per chance well use these ways to quietly revert a fully up-to-date Windows deployment to a vulnerable convey, re-enabling exploitation of any of hundreds of previously patched vulnerabilities. Scanning and recovery instruments are unable to detect malicious downgrades.

Windows Downdate abuses unprotected parts of the Windows Change architecture to stealthily downgrade a fully patched system to an older vulnerable convey, whereas disabling key security parts, in a technique that is awfully advanced to detect and reverse.

Demo Offer : Safebreach

“I was in a convey to bag a fully patched Windows machine at probability of hundreds of previous vulnerabilities, turning fastened vulnerabilities into zero-days and making the length of time “fully patched” meaningless on any Windows machine on this planet,” Alon Leviev stated.

Microsoft acknowledged the zero-days in a pair of advisories on August 7 and stated it is engaged on patches. Alternatively, fixes are no longer but on hand a month later, main Leviev to post the PoC to elevate awareness and spur quicker patching.

“Microsoft is constructing a security update that can revoke outdated, unpatched VBS system details to mitigate this vulnerability, however it is rarely any longer but on hand,” the company stated in its advisory for CVE-2024-21302.

In the length in-between, Microsoft has equipped some mitigation steps, esteem implementing an Gain admission to Protect watch over Listing (ACL) or Discretionary Gain admission to Protect watch over Listing (DACL) to limit access to the PoqexecCmdline registry key that enables the attack.

Nonetheless security consultants warn these measures are incomplete and with out complications bypassed by a honest attacker. The fully plump remediation will be to install the legitimate security updates from Microsoft once on hand.

The incident highlights the skill risks of so-known as zero-day vulnerabilities in core OS parts or designs that will seemingly be exploited to compromise systems and repeatedly re-expose patched vulnerabilities. It additionally underscores the need for added proactive evaluate into these advanced attack surfaces.

“Build parts within an OS may per chance well aloof constantly be reviewed and opinion to be a associated attack ground, regardless of how aged the characteristic will be,” Alon Leviev stated. “We assume other OSs will be equally at probability of associated attack vectors and that all OS distributors must be vigilant against the dangers they pose.”

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces

googlenews

Source credit : cybersecuritynews.com

Related Posts