memory corruption Archives

Winsage

April 22, 2025

Critical Windows Update Stack Vulnerability Allows Code Execution & Privilege Escalation

A security vulnerability identified as CVE-2025-21204 has been discovered in the Windows Update Stack, allowing local attackers to execute unauthorized code and escalate privileges to SYSTEM-level access. This vulnerability, with a CVSS score of 7.8 (High), affects Windows 10 versions 1507, 1607, and 1809, among likely other supported Windows 10/11 and Windows Server versions. The flaw arises from a design issue where Windows Update processes do not properly follow directory junctions, enabling attackers with limited user privileges to redirect trusted paths to locations containing malicious code. Microsoft has introduced a mitigation strategy in its April 2025 cumulative update, which includes creating a new folder at the root of system drives and implementing detection rules for suspicious junction creations. Organizations are advised to apply the April 2025 security updates, restrict ACLs on specific directories, prevent symbolic link creation, and monitor file creation activities in certain directories.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

March 5, 2025

Zero Day Initiative — CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy

Integer overflows and memory corruption errors have been identified during the encoding of the kerb-message OCTET STRING field in the KDC Proxy. The ASN1encoder.buf is allocated a buffer of size 1,024, while ASN1encoder.current points to ASN1_encoder.buf + 4. The KDC Proxy accepts Kerberos responses with a maximum size of 4,294,967,295. When a Kerberos response is sent with a length from 4,294,967,291 to 4,294,967,295, an overflow occurs due to the addition being stored in a 4-byte unsigned variable, leading to a heap buffer overflow when ASN1BEREncCharString() calls memcpy(). Similarly, for responses with lengths between 4,294,966,267 and 4,294,967,290, an overflow occurs during reallocation, causing an out-of-bounds write or heap buffer overflow. An edge case arises when passing 0 as the new size to LocalReAlloc(), leading to an access violation. A remote, unauthenticated attacker could exploit this vulnerability for arbitrary code execution. Detection involves monitoring traffic on UDP port 389 and TCP port 88, focusing on Kerberos responses. If a response exceeds 0x80000000 bytes, it should be flagged as suspicious. The vulnerability was patched in November, and only KDC servers are at risk; domain controllers are unaffected. Immediate patching of all instances of the KPSSVC server is recommended.