In a recent revelation, SafeBreach security researcher Alon Leviev has shed light on a concerning vulnerability within the Windows operating system. This issue allows attackers to downgrade essential kernel components, effectively circumventing critical security measures such as Driver Signature Enforcement (DSE). The implications of this vulnerability are significant, as it enables the deployment of rootkits on systems that are otherwise fully patched.
Downgrading Windows
Leviev’s findings, presented at the prestigious BlackHat and DEFCON security conferences, detail how an attacker can manipulate the Windows Update process to introduce outdated and vulnerable software components into an up-to-date system without altering its patched status. Despite reporting this update takeover issue to Microsoft, the tech giant dismissed it, asserting that it did not breach a defined security boundary. However, Leviev demonstrated that gaining kernel code execution as an administrator makes such an attack feasible.
To further illustrate the vulnerability, Leviev introduced a tool named Windows Downdate, which facilitates the creation of custom downgrades. This tool exposes a seemingly fully updated system to previously patched vulnerabilities through the use of outdated components, including DLLs, drivers, and the NT kernel. Leviev remarked, “I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term ‘fully patched’ meaningless on any Windows machine in the world.”
Despite advancements in kernel security over the years, Leviev successfully bypassed the DSE feature, demonstrating how attackers could load unsigned kernel drivers to deploy rootkit malware. This malware can disable security controls and conceal activities that might otherwise alert users to a compromise. Leviev noted, “In recent years, significant enhancements have been implemented to strengthen the security of the kernel, even under the assumption that it could be compromised with Administrator privileges.” However, he emphasized that the ability to downgrade kernel components simplifies the attack process.
Leviev aptly named his exploitation method “ItsNotASecurityBoundary” DSE bypass, which falls under the category of false file immutability flaws. This new class of vulnerabilities in Windows was described by Gabriel Landau of Elastic as a means to achieve arbitrary code execution with kernel privileges. Although Microsoft has patched the ItsNotASecurityBoundary admin-to-kernel privilege escalation, this fix does not safeguard against downgrade attacks.
Targeting the kernel
In his latest research, Leviev elaborates on how attackers can exploit the Windows Update process to bypass DSE protections by downgrading a patched component, even on fully updated Windows 11 systems. The crux of the attack lies in replacing ‘ci.dll,’ the file responsible for enforcing DSE, with an unpatched version that disregards driver signatures, thus circumventing Windows’ protective measures.
This replacement is triggered during the Windows Update process, taking advantage of a double-read condition wherein the vulnerable ci.dll is loaded into memory just after Windows initiates a check for the latest version of the file. This “race window” permits the loading of the outdated ci.dll while Windows believes it has verified the file, allowing unsigned drivers to infiltrate the kernel.
Source: SafeBreach
In a compelling demonstration, Leviev showcased how he successfully reverted the DSE patch via a downgrade attack on a fully patched Windows 11 23H2 machine. His research also delves into methods for disabling or bypassing Microsoft’s Virtualization-based Security (VBS), which is designed to create an isolated environment to safeguard essential resources and security assets, including the secure kernel code integrity mechanism (skci.dll) and authenticated user credentials.
VBS typically relies on UEFI locks and registry configurations to prevent unauthorized alterations. However, Leviev pointed out that it can be disabled if not configured with maximum security settings. By performing targeted modifications to registry keys, attackers can replace critical VBS files, such as ‘SecureKernel.exe,’ with corrupt versions, thereby disrupting VBS’s functionality and facilitating the “ItsNotASecurityBoundary” bypass.
Source: SafeBreach
Leviev’s research underscores the ongoing risk of downgrade attacks through various pathways, even when such attacks may require elevated privileges. He emphasizes the necessity for endpoint security tools to vigilantly monitor downgrade procedures, regardless of whether they traverse critical security boundaries.
