A Google researcher has disclosed an unpatched vulnerability in Windows 8.1 after Microsoft didn’t fix the problem within a 90-day window Google gave its competitor.The disclosure of the bug on Google’s security research website early this week stirred up a debate about whether outing the vulnerability was appropriate.
The bug allows low-level Windows users to become administrators in some cases, but some posters on the Google site said the company should have kept its mouth shut. Google said it was unclear if versions of the Windows OS earlier than 8.1 were affected by the bug.
The vulnerability resides in the function AhcVerifyAdminContext, an internal function and not a public API which actually checks whether the user is an administrator.
“This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator,” Forshaw wrote in the mailing list. “It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID.”
“It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.”
Forshaw tested the PoC on Windows 8.1 update, both 32 bit and 64 bit versions, and he recommended users to run the PoC on 32 bit. To verify perform the following steps:
- Put the AppCompatCache.exe and Testdll.dll on disk
- Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
- Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:windowssystem32ComputerDefaults.exe testdll.dll”.
- If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.
Google’s 90-day deadline for fixing bug is “the result of many years of careful consideration and industry-wide discussions about vulnerability remediation,” the company said. “Security researchers have been using roughly the same disclosure principles for the past 13 years … and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy.”
Google will monitor the effects of its policy closely, the company added. “We want our decisions here to be data driven, and we’re constantly seeking improvements that will benefit user security,”
