Rewterz Threat Alert – CVE-2018-20250 JNEC. A Ransomware Delivered Through WinRAR Exploit
March 21, 2019Rewterz Threat Alert – Two new Magecart Data Breaches – IoCs
March 21, 2019Severity
Medium
Analysis Summary
Some new bugs reside in some of the kernel mode drivers in Windows that could allow attackers to escalate privileges. The flaws are caused by the lack of necessary checks when handling specific requests.
Some drivers shipped with Windows that run in kernel mode did not perform all of the access checks when handling specific (IRP_MJ_CREATE) requests. Kernel mode code could force access checks, opening the door to malicious activity.
An attacker controlling the arguments of a file create/open call could use requests originating from user mode to abuse the issue and send an IRP_MJ_CREATE request with a check set to KernelMode, in this way he could escalate privilege.
In order to define the class of bug that leads to local privilege escalation, there is a need for the following separate components.
- A kernel mode Initiator (code which calls IoCreateFile or IoCreateFileEx) which sets the INPC and IFAC flags but doesn’t set OFAC. This could be in a driver or the kernel itself.
- A vulnerable Receiver which uses RequestorMode during the handling of IRP_MJ_CREATE for a security decision but doesn’t also check the Flags for SFAC.
An attacker would need to be able to direct the initiator to open a device object that is handled by the receiver. The security check in the receiver is bypassed because the Irp->RequestorMode will be KernelMode, but the SL_FORCE_ACCESS_CHECK flag is not examined.
Impact
Privilege Escalation
Affected Products
Microsoft Windows 10
Remediation
Microsoft will solve the bug in the future versions of Windows OS, meantime, it plans to implement most of the fixes in Windows 10 19H1.
Any security updates will likewise be reported, whenever they are released.