Pierluigi Paganini
January 03, 2015
The experts at the Google Project Zero team have ethically disclosed the details of an unpatched Windows 8.1 vulnerability reported to Microsoft in September. The team has waited for 90 days before publicly disclose the details of the flaw in compliance with its disclosure policy.
“This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.”
Unfortunately, Microsoft still hasn’t issued a patch for the Windows 8.1 flaw that could be exploited by an attacker to elevate his privileges on a target machine to gain administrator access. Security experts believe that Microsoft will release a fix in the next set of Patch Tuesday security bulletins, which are scheduled for Jan. 13.
In order to exploit the vulnerability, the attackers need valid logon credentials to use locally.
According the Google researcher James Forshaw, the flaw affects the NtApphelpCacheControl system call that is used by Windows 8.1 systems for quick caching of application data. According to researchers, the system doesn’t validate correctly the user’s impersonation token, in particular it is not able to manage his privileges.
“It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check,” Forshaw wrote in an advisory on the Google vulnerability database. “For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.”
Forshaw explained that he wasn’t sure that the vulnerability affects also Windows 7 systems, he provided a proof-of-concept exploit code was tested only on Windows 8.1 update, on both 32- and 64-bit versions.
“It’s unclear if Windows 7 is vulnerable as the code path for update has a TCB privilege check on it (although it looks like depending on the flags this might be bypassable). No effort has been made to verify it on Windows 7. NOTE: This is not a bug in UAC, it is just using UAC auto elevation for demonstration purposes.” states the advisory.
Below the steps to follow to exploit the vulnerability on Windows 8.1 systems:
1) Put the AppCompatCache.exe and Testdll.dll on disk 2) Ensure that UAC is enabled, the current user is a
2) Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
3) Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll”.
4) If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.
The PoC for the Windows 8.1 vulnerability is available at the following URL:
The “Project Zero” started by Google involves a team of Star Hackers and Bug Hunters with the purpose to improve security of the Internet. Google hired a team of top security researchers that work to discover most severe security vulnerabilities in applications and services around the world and to fix them.
(Security Affairs – Windows 8.1, Google Project Zero)
