The latest Windows 8.1 update added a feature that allows application compatibility data to be cached for quick reuse when new processes are created. But a privilege escalation flaw opens the door for abuse.
The way it’s supposed to work is this: A normal user can query the cache but cannot add new cached entries, as the operation is restricted to administrators. This is checked in the background with a purpose-built function. However, it turns out that this function doesn't correctly check the impersonation token of the caller to determine if the user is an administrator.
“It reads the caller's impersonation token…and then does a comparison between the user SID in the token to LocalSystem's SID,” explained Google Project Zero researchers, writing on the search giant’s vulnerability database. “It doesn't check the impersonation level of the token, so it's possible to get an identify token on your thread from a local system process and bypass this check.”
Looking for a way to exploit the vulnerability, Google has created a proof of concept (PoC) in which a cache entry is made for an UAC auto-elevate executable (like ComputerDefaults.exe). Any executable could be used, as long as there’s a suitable pre-existing app compatibility configuration to abuse. From there, anyone can gain administrative access to the machine and associated networks.
The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions—and works. However, “It's unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable),” Google noted.
The vulnerability was reported to Microsoft in September and has just now been made public since it hasn’t yet been patched. Microsoft’s next Patch Tuesday is scheduled for Jan. 13.