Pierluigi Paganini
June 23, 2017
Security flaws in Microsoft PatchGuard kernel protection could be exploited by attackers to install rootkits on machines running the secure Windows 10 operating system.
The PatchGuard, also known as Kernel Patch Protection, is a software protection utility that been designed to forbid the kernel of 64-bit versions of Windows OS from being patched in order to prevent rootkit infections or the execution of malicious code at the kernel level.
The security experts at CyberArk Labs have devised a new attack technique dubbed GhostHook attack that bypasses Windows 10 PatchGuard protections.
The GhostHook ,attack is a new hooking technique that requires a hacker to have already compromised a system and running code in the kernel. This implies that hackers took over the system first using a hacking exploit or delivering a malware.
“this is neither an elevation nor an exploitation technique. This technique is intended for post-exploitation scenario where the attacker has control over the asset. Since malicious kernel code (rootkits) often seeks to establish persistence in unfriendly territory, stealth technology plays a fundamental role.” states the analysis published by CyberArk Labs.
Once a system is compromised, the attackers can implant a rootkit in its kernel that is totally transparent to security solutions, including the PatchGuard.
In a second stage of the attack, the GhostHook attack set up a permanent, secret presence on a compromised machine running 64-bit Windows 10 OS.
According to the researchers at CyberArk, the problem could be very difficult to patch, because the GhostHook attack leverages the technique to gain control of critical kernel structures.
GhostHook attack bypasses PatchGuard by exploiting a weakness in Microsoft’s implementation of a feature in Intel processors called Intel PT (Processor Trace).
The Intel PT is an extension of Intel Architecture that captures information about software execution using dedicated hardware facilities that cause have no impact on the software being traced.
The Intel PT enables security vendors to monitor and trace commands that are executed in the CPU allowing the identification of malicious exploits and malware.
“So basically, Intel PT provides low overhead hardware that executes tracing on each hardware thread using dedicated hardware (implemented entirely in hardware) in the CPU’s Performance Monitoring Unit (PMU). Intel PT can trace any software the CPU runs including hypervisors (except for SGX secure containers).” states the analysis published by CyberArk.“This technology is primarily used for performance monitoring, diagnostic code coverage, debugging, fuzzing, malware analysis and exploit detection.”
Researchers have found a way to abuse the Intel PT technology, the hackers can take advantage of the “buffer-is-going-full notification mechanism” to take control of the execution of the thread.
“How can we achieve that with Intel PT? Allocate an extremely small buffer for the CPU’s PT packets,” continues the analysis. “This way, the CPU will quickly run out of buffer space and will jump the PMI handler. The PMI handler is a piece of code controlled by us and will perform the ‘hook.'”
Another worrisome aspect of the GhostHook attack is that Microsoft downplayed it and it will not issue any emergency patch, but it may address the issue only in a future version of Windows.
“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system,” said a Microsoft’s spokesperson. “As such, this does not meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I have closed this case.” reads the Microsoft’s response to the report.
“This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”
[adrotate banner=”9″]
(Security Affairs – PatchGuard, GhostHook attack)
[adrotate banner=”13″]
