A new vulnerability class has been discovered in the Windows 11 Kernel, known as “File Immutability,” which could potentially allow threat actors to execute arbitrary code with Kernel privileges. This vulnerability stems from incorrect assumptions in the design of the Core Windows feature, leading to undefined behavior and security vulnerabilities.
List of Components and Concepts Associated with the Vulnerability
- Windows File sharing: Full set of access rights.
- Memory Manager: Treats PE-relocated pages as unmodified, dynamically reapplying relocations during page faults.
- Sharing enforcement: The responsibility of the filesystem driver to call IoCheckShareAccess or IoCheckLinkShareAccess to see whether the requested DesiredAccess/ShareMode tuple is compatible.
- Authenticode: Describes a way to employ cryptography to “sign” PE files.
- Code Integrity: Validates signatures in the kernel.
- Incorrect assumptions: Implies that files successfully opened without write sharing can’t be modified by another user or process.
- Page hashes: List of hashes of each 4KB page within a PE file.
- Network redirectors: Allow the use of network paths with any API that accepts file paths.
- Protected Process Light (PPL): Anti-Malware services run as Protected Process Light (PPL), protecting them from tampering by malware with admin rights, so the ransomware can’t terminate the Anti-Malware service.
An attacker can exploit this false file immutability by using a network redirector to modify PPL’s DLL Server-side and bypass sharing restrictions. This vulnerability, known as “False File Immutability,” was also presented at Black Hat Asia 2023, showcasing how bad assumptions in paging can be exploited to inject code into PPL by defeating security features like LSA and Anti-Malware Process Protection.
New Research on the Vulnerability
This new vulnerability report, published by Elastic Security, focuses on authenticode signatures embedded within PE files, utilizing a detached signature called Security Catalog. Windows maintains a large collection of catalog files in C:WindowsSystem32CatRoot, which are validated by Code Integrity using various methods. However, the vulnerability arises from incorrect assumptions leading to False File Immutability.
Attack Planning and Execution
The attack flow involves planting a security catalog on a controlled storage device, creating a symbolic link in the CatRoot directory, and manipulating the Kernel to load a malicious unsigned driver. By exploiting the False File Immutability, the attacker can achieve arbitrary code execution in the kernel.
Double Read Vulnerability and Attack
The double-read vulnerability can be exploited by manipulating a victim server to read the same value from an attacker-controlled buffer more than once, leading to unexpected behavior. By changing the length field of a packet structure, the attacker can overflow a buffer and execute malicious code.
Affected Operations and Mitigations
Various operations such as Image Sections, Data Sections, and Regular I/O are susceptible to the vulnerability. Mitigations include enabling Page Hashes, avoiding double reads, and copying files to heap buffers before processing to prevent exploitation. Protecting business emails from spoofing, phishing, and BEC attacks with AI-powered security solutions is crucial in today’s threat landscape.
