No patch yet: Security researcher robs Windows of all protection functions

Contents

A security researcher from SafeBreach has developed the "Windows Downdate" tool, with which he can misuse the Windows update function under Windows 10, 11 and the server variants to install any old and therefore vulnerable previous versions of all Windows components. However, such an attack is not possible without further ado.

Prerequisite for an attack

At the Black Hat and Def Con 32 hacker conferences, the researcher demonstrated how attackers can downgrade particularly sensitive system components such as the Windows kernel or hypervisor. He describes further details of his attack in a blog post.

He claims to have reported the vulnerability to Microsoft in February. There are currently no security updates that completely close the vulnerability. In the course of the current patchday, Microsoft has at least published two security advisories (CVE-2024-38202 and CVE-2024-21302), which are intended to reduce the risk.

The fact that either local administrator rights are required to carry out the attack or the attacker must get a local user to trigger a system restore plays into Microsoft's hands.

Starting point

The aim of his research was to attack Windows in a way that could neither be reported by EDR solutions nor reversed by system monitoring tools.

While investigating Windows Update, the researcher reportedly came across the Windows registry entry that causes the responsible Windows component (poqexec.exe) to process the "action file" (pending.xml, found in %windir%\WinSxS before a restart) with instructions for any updates. Normally, the Windows update server pushes the action file to the client, where it is processed on the next restart.

However, this registry key can be freely edited so that the Trusted Installer service (Windows Modules Installer) executes the instructions stored by the security researcher in the registry and processes a manipulated action file even without a command from the update server. In his example, he uses the "HardlinkFile" command in the xml file to instruct the updater to copy the outdated Windows component he has selected over the existing one.

Windows without protection functions

This procedure becomes interesting in connection with Virtualization Based Security (VBS), a specially protected virtual environment. Microsoft developed VBS, among other things, in order to be able to continue to protect secrets on Windows systems that have already been compromised. Microsoft has put a stop to the deactivation of VBS by users with admin rights with the UEFI Lock protection function: Instead of storing the VBS configuration in the registry, UEFI Lock packs the information into a UEFI variable that can only be accessed during the boot process.

The researcher was surprised to see that a VBS-Secure kernel pushed onto the computer via Windows Downdate, but not digitally signed by Microsoft, did not lead to the boot process being aborted. Instead, the PC booted normally, but Windows deactivated VBS and thus the Credential Guard function due to the missing signature.

The researcher then deactivated Protected Process Light (PPL) by installing a vulnerable version of the corresponding Windows component. PPL allows specially signed applications to run in such a way that even administrators cannot modify or terminate them. It also disabled Windows Defender so that the anti-virus protection was also inactive.

This combination makes it possible to dump Local Security Authority Subsystem Service (LSASS) credentials and filter out NTLM hashes using Mimikatz. In the same way, he was also able to downgrade the hypervisor underlying VBS to a two-year-old version that is vulnerable to privilege escalation. This ultimately leads to a potential attacker gaining full control over the entire virtualization stack (ring -1) from the restricted user mode (ring 3).

Even if there are hurdles to overcome for such an attack, Microsoft should act promptly and protect Windows from the downgrade attack described. However, it is not yet clear when and in what form this will happen.

(emw)