On the evening of May 29 (2022), I made the necessary notifications to the "Microsoft Security Center" [ VULN-068278]. However, according to the reply received by e-mail on June 10, "We determined that an immediate fix will not be released for the reported behavior. It was recommended to hardened because the relevant vulnerability requires Administrator authority. We have closed this case" . For this reason, I wanted to warn users by posting this vulnerability or weakness in my account on Github.
If any executable file is added to ("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options") the regedit path and a debugger flag is set, another program can be run before that program is run. If the program that is run first does not invoke the relevant program in any way, it can replace the relevant program. This can prevent various important programs from running. This is valid for important processes of Windows.
For example, if you want to block Smartscreen
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v Debugger /d "cmd.exe /C >null: 2>null:"
For example, if you want to block Security Center (Windows Defender and other tools)
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securityhealthhost.exe" /v Debugger /d "cmd.exe /C >null: 2>null:"
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secHealthUI.exe" /v Debugger /d "cmd.exe /C >null: 2>null:"
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\werFault.exe" /v Debugger /d "cmd.exe /C >null: 2>null:"
- The purposes of using this vulnerability can basically be listed as follows.
- 1) It can provide persistence for malware software.
- 2) Although it is different in function and structure, similar attacks that can be made by interfering with the system call table can also be made using this vulnerability.
- 3) Security measures such as Smartscreen, Windows Defender, etc. that come integrated with Windows can be blocked. For example, although Windows Defender cannot be blocked directly, Windows Defender is prevented from running by preventing the components necessary for it to work. In the example, Windows Security Center has been prevented from working, and related components have become inoperable.
- 4) In particular, third-party virus scanning and security software can be blocked. Also, any other third-party software may be blocked from running.
- 5) Processes used for forensic purposes that are integrated with Windows can be blocked.
- 6) By blocking the components necessary for the operation of Windows, operations such as "sending error reports" and "receiving updates" can be rendered inoperable. For example, by blocking the "calcs" command, access to certain folders and files can be prevented by preventing the user and Windows from accessing the access control list.
A simple video has been posted on Youtube to demonstrate the vulnerability. It can be viewed at the link below.
[Youtube Link] https://www.youtube.com/watch?v=_rQrLeDaFSU
[ScreenShot 1]
[ScreenShot 2]
[ScreenShot 3]
As an example, a script has been written to show how a malware can exploit this vulnerability. The "block.py" script has been added to the files as an example in order to represent what we call the first stage in malware attacks.
It primarily blocks Smartscreen and Windows Security from working. In this way, Windows Defender cannot work. Then it runs the malware
block.py
(Administrator authority)>> block.py malware.exe
In order to evaluate the vulnerability, basic information about malware-type attacks is given.
A) Ideal Malware Attacks
[jpg source: From the training notes, Abdulkadir GÜNGÖR]
B) Types of Malware
[jpg source: From the book "Linux İşletim Sisteminde Malware Analizi", Abdulkadir GÜNGÖR, ISBN:978-625-409-378-4]
C) Final Stage
[jpg source: From the training notes, Abdulkadir GÜNGÖR]
Information and projects published by me on Github are entirely at the user's own risk. I'm not responsible in any way for any kind of damage that is done to your computer / os / program as cause of this project. Make sure to use virtual systems as a test environment!
Run your tests on virtual machines. The responsibility for illegal use belongs to the user. Shared for educational purposes.