Rewterz Threat Advisory –Unpatched Microsoft WFP AppContainer Flaw Disclosed by Google Zero Experts

Severity

Low

Analysis Summary

Google Zero experts have disclosed the details of the WindowsApp Container flaw after Microsoft announced that they had no plans to fix it.  According to the expert Forshaw “Recently I’ve been delving into the inner workings of the Windows Firewall. This is interesting to me as it’s used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.”

According to the security advisory shared “The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.”  “Connecting to an external network resource from an AppContainer is enforced through default rules in the WFP. For example, connecting to the internet via IPv4 will process rules in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. This layer can contain rules such as “InternetClient Default Rule” which will match if the caller is in an AC and has the Internet Capability. If a match is made then the connection is allowed. Eventually an AC process will match the “Block Outbound Default Rule” rule if nothing else has which will block any connection attempt.“

After going public with the disclosure of the vulnerability the status of the issue has been raised to “Started” which means that Microsoft has started to look into this and will be soon releasing a fix on this. 

Impact

• Security Bypass
• Privilege escalation

Affected Vendors

Microsoft

Affected Products

Microsoft WFP (Windows Filtering Platform)

Remediation

Microsoft is yet to release a patch for this vulnerability. More bug details can be found here.