fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows Zero-day With Bad Patch Gets New Public Exploit Code

Windows Zero-day With Bad Patch Gets New Public Exploit Code

Back in June, Microsoft released a fix for a vulnerability in the Windows operating system that enabled attackers to increase their permissions to kernel level on a compromised machine. The patch did not stick.

The issue, which advanced hackers exploited as a zero-day in May, is still exploitable but by a different method as security researchers demonstrate with publicly available proof-of-concept code.

Old new vulnerability

Google Project Zero security researcher Maddie Stone discovered that Microsoft’s patch in June did not fix the original vulnerability (CVE-2020-0986) and it can still be leveraged with some adjustments.

In May 2020, the issue was exploited in the wild for privilege escalation along with a bug in Internet Explorer that allowed remote code execution. Both flaws were zero-days at the time of the attack discovered by Kaspersky.

Also Read: What is Pentest Report? Here’s A Walk-through

Stone says that an attacker can still trigger CVE-2020-0986 to increase their permissions to kernel level by sending an offset instead of a pointer.

On Twitter, the researcher spells it out saying that the original bug was an arbitrary pointer dereference allowing an attacker to control the “src” and “dest” pointers to a memcpy function.

Microsoft’s patch was improper because it changed the pointers to offsets, so the function’s parameters could still be controlled.

In a short, technical report today, she explains how to trigger the vulnerability, now identified as CVE-2020-17008:

A low integrity process can send LPC messages to splwow64.exe (Medium integrity) and gain a write-what-where primitive in splwow64’s memory space. The attacker controls the destination, the contents that are copied, and the number of bytes copied through a memcpy call. The offset for the destination pointer calculation is only constrained to be:

Offset <= 0x7FFFFFFF
Offset + perceived size of structure <= 0x7FFFFFFF

Splwow64 passes the LPC message to GdiPrinterThunk. The vulnerable memcpy is in message 0x6D.

To show that exploitation is still possible after Microsoft’s patch, Stone published proof-of-concept (PoC) code adapted from the original one from Kaspersky, along with instructions on how to run it properly.

The researcher adds that what the PoC does is trigger the vulnerability twice: “first to leak the heap address where the message is stored and what the offset is added to generate the pointers and then to do the write-what-where.”

Microsoft received a report on September 24 and confirmed the issue a day later, assigning it the tracking number CVE-2020-17008. The company planned a patch for November 2020, but problems identified during the testing stage pushed the release to the next Patch Tuesday, on January 12, 2021.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

Google Project Zero has a vulnerability disclosure policy of 90 days, with an extension of 14 days if more time is needed to push a fix. As Microsoft informed that a patch would not be available before January 6, neither of the two deadlines could be met.

Furthermore, as Stone says, attackers have exploited the bug in the past, are familiar with it, and could leverage it again when an incorrect fix is available.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us