Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

07:10 PM
Connect Directly

Researcher Developed New Kernel-Level Exploits for Old Vulns in Windows

Problem has to do with a print driver component found in all versions of Windows going back to Windows 7, security researcher from Singular Security Lab says at Black Hat Europe 2020.

A couple of vulnerabilities that a security researcher from China-based Singular Security Lab disclosed at this week's Black Hat Europe 2020 virtual event has highlighted once again why it's dangerous for organizations to underestimate the threat from old, overlooked bugs in commonly used software products.

The newly disclosed bugs exist in Windows code found in versions of the operating system, from the latest iteration of Windows 10 all the way back to at least Windows 7 from 2009. The privilege escalation bugs allow attackers a way to gain complete control of vulnerable systems.

Related Content:

7 Cool Cyberattack and Audit Tools to be Highlighted at Black Hat Europe

The Changing Face of Threat Intelligence

New on The Edge: 10 Ways Device Identifiers Can Spot a Cybercriminal

According to security researcher Rancho Han at Singular Security, the problem specifically exists in an old and barely known component in Windows kernel called user mode print driver (UMPD).

The driver consists of two main components: a printer graphics dynamic link library (DLL) that assists the graphics device interface in rendering a print job and sending the job to the print spooler; and a printer interface DLL that the spooler uses to notify the driver of print-related events, Han said in his Black Hat presentation.

The problem exists in the interaction between the UMPD and certain Windows kernel functions. According to Han, when a user initiates some kinds of print-related functions, the UMPD interacts with the graphics engine and receives what are known as "callbacks" from the kernel. The manner in which the interaction takes places gives attackers an opportunity to insert malicious code into the process, which is then executed at the Windows kernel level.

"When you create a user object in user space and when you create some functions to call back to user space, an attacker could … modify the object; when the kernel reuses the object, it could create many security issues," Han said.

Microsoft, which patched the issues months ago, has described the issue as an escalation of privilege vulnerability that an attacker already logged in to a vulnerable system would be able to exploit. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," Microsoft said in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

According to Microsoft, attacks targeting the vulnerability are hard to pull off and would require an adversary to invest considerable time understanding the targeting environment and in building out an attack. However, a successful attack could result in complete loss of confidentiality, system integrity, and availability, the software giant said.

Han's use of the Windows user-mode callback mechanism to launch kernel level attacks builds on previous work that security researcher Tarjei Mandt disclosed at Black Hat USA in 2011. That work resulted in as many as 44 privilege escalation vulnerabilities being subsequently patched,

Interestingly, the vulnerabilities that Han exploited are the result of a Microsoft effort to make Windows safer. Originally, printer driver modes were loaded into the Windows kernel. But starting with Windows Vista, Microsoft made a big change and began running the print drivers in user mode. "The change was made as a security enhancement," Han said. "Once moved to user mode, bugs in the printer driver would have a much-reduced security impact" compared with kernel-level drivers, he said.

However, the manner in which the kernel callbacks to user mode were implemented created an entirely new attack surface, the security researcher noted.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.