New ‘False File Immutability’ Vulnerability Poses Significant Threat to Windows Security

False File Immutability

A newly discovered vulnerability class, termed “False File Immutability” (FFI), has raised serious concerns within the cybersecurity community due to its potential to circumvent Windows Code Integrity (CI), a critical security mechanism. The vulnerability, identified and detailed by Gabriel Landau of Elastic Security, exposes a flaw in the assumption that files opened without write permissions cannot be modified.

Windows vulnerability

Attack diagram

Landau’s proof-of-concept exploit, aptly named “ItsNotASecurityBoundary,” showcases the severity of FFI. By manipulating file attributes and race conditions, the exploit enables attackers to inject malicious code into a trusted security catalog, effectively bypassing signature verification processes and granting them the ability to load arbitrary drivers, including unsigned and potentially harmful ones.

The root of this exploit lies in a concept known as False File Immutability (FFI). FFI occurs when software incorrectly assumes that files cannot be modified because they were opened without FILE_SHARE_WRITE permissions. Despite these permissions, attackers can still modify files in certain situations, leading to what is termed as “double-read vulnerabilities.” These vulnerabilities arise when the same value or offset within a file is read more than once, potentially causing inconsistencies and exploitation opportunities.

FFI can affect both traditional I/O operations (like ReadFile) and memory-mapped I/O operations (like MapViewOfFile), impacting both user-mode and kernel-mode code.

ItsNotASecurityBoundary leverages the FFI assumption within Windows Code Integrity (ci.dll). The exploit manipulates CI into accepting a malicious security catalog containing fraudulent authentihashes. By doing so, the attacker can trick the kernel into loading any driver of their choosing, even if it is unsigned.

While the exploit’s successful execution requires a complex sequence of events and precise timing, its implications are far-reaching. Once an attacker gains the ability to bypass Code Integrity, they can disable security software, evade detection mechanisms, and deploy malware with relative ease, thus compromising the integrity and security of the entire system.

To mitigate this threat, Landau has released a kernel driver, “FineButWeCanStillEasilyStopIt,” which detects and blocks the exploit by monitoring for suspicious file modifications. However, this serves as a temporary solution, as a comprehensive fix within Windows Code Integrity itself is necessary to fully address the underlying vulnerability.