Google Project Zero team found a Windows zero-day vulnerability
Google’s Project Zero team recently discovered a zero-day vulnerability in the Windows 10 operating system that could bypass Windows’s locking strategy and execute relevant code. The vulnerability has not been fixed yet. Google team researchers have enabled UMCI authentication on a Windows 10s system computer. A .NET vulnerability can bypass the Windows locking policy of examining COM library instances. Researchers believe that this flaw will not only affect Windows 10s but also other versions of the Windows 10 operating system will be affected.
The problem arises from the locking policy response of the WLDP COM library caused by the loading of a .NET COM object. Under normal circumstances, the locking strategy contains a list of 8 to 50 fixed-writing COM objects that can only be loaded by the heuristic script engine. Even if you can use a trusted COM CLSID to register an existing dynamic link library (DLL), you still need to check the CLSID in DLLGetObject against the list written in advance to ensure security. The current vulnerability is that as long as a .NET COM object is loaded, the CLSID in DLLGetObject only needs to look up the HKEY_CLASS_ROOT (HKCR) registration information in the system registry, and then the CLSID is no longer needed. A .NET COM object is created. So a hacker can add registry values, including creating a new HKEY_CURRENT_USER (HKCU) value and loading a special COM class under a CLSID.
Hackers can use a free DotNetToJScript scripting tool like that produced by Forshaw to generate a .NET code that boots JScript. He also released two files: an .INF file to set the registry, and an .SCT file to verify the vulnerability in system memory. Load untrusted .NET code, pop up a message window.
The vulnerability was reported to Microsoft on January 19th this year. However, after the 90-day patch period, Microsoft failed to fix the vulnerability and did not announce a specific repair schedule. Fortunately, this flaw is not large, and even if it is announced, it will not have a big impact. Currently, only the Device Guard function is enabled in the Windows 10s system will be affected, and it cannot be remotely attacked, nor does it have the function of privilege escalation.
Source: securityaffairs