Rewterz Threat Alert – A New Class of Bugs Affecting Windows and its Drivers

Severity

Medium

Analysis Summary

Some new bugs reside in some of the kernel mode drivers in Windows that could allow attackers to escalate privileges. The flaws are caused by the lack of necessary checks when handling specific requests.

Some drivers shipped with Windows that run in kernel mode did not perform all of the access checks when handling specific (IRP_MJ_CREATE) requests. Kernel mode code could force access checks, opening the door to malicious activity.

An attacker controlling the arguments of a file create/open call could use requests originating from user mode to abuse the issue and send an IRP_MJ_CREATE request with a check set to KernelMode, in this way he could escalate privilege.

In order to define the class of bug that leads to local privilege escalation, there is a need for the following separate components.

1. A kernel mode Initiator (code which calls IoCreateFile or IoCreateFileEx) which sets the INPC and IFAC flags but doesn’t set OFAC. This could be in a driver or the kernel itself.
2. A vulnerable Receiver which uses RequestorMode during the handling of IRP_MJ_CREATE for a security decision but doesn’t also check the Flags for SFAC.

An attacker would need to be able to direct the initiator to open a device object that is handled by the receiver. The security check in the receiver is bypassed because the Irp->RequestorMode will be KernelMode, but the SL_FORCE_ACCESS_CHECK flag is not examined. 

Impact

Privilege Escalation

Affected Products

Microsoft Windows 10

Remediation

Microsoft will solve the bug in the future versions of Windows OS, meantime, it plans to implement most of the fixes in Windows 10 19H1.

Any security updates will likewise be reported, whenever they are released.