https://www.bleepingcomputer.com/news/security/new-windows-driver-signature-bypass-allows-kernel-rootkit-installs/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + UnitedHealth says data of 100 million stolen in Change Healthcare breach UnitedHealth says data of 100 million stolen in Change Healthcare breach + Apple creates Private Cloud Compute VM to let researchers find bugs Apple creates Private Cloud Compute VM to let researchers find bugs + Cisco fixes VPN DoS flaw discovered in password spray attacks Cisco fixes VPN DoS flaw discovered in password spray attacks + QNAP, Synology, Lexmark devices hacked on Pwn2Own Day 3 QNAP, Synology, Lexmark devices hacked on Pwn2Own Day 3 + New Cisco ASA and FTD features block VPN brute-force password attacks New Cisco ASA and FTD features block VPN brute-force password attacks + New Windows Driver Signature bypass allows kernel rootkit installs New Windows Driver Signature bypass allows kernel rootkit installs + Want to work in cybersecurity? Check out this $56 course bundle deal Want to work in cybersecurity? Check out this $56 course bundle deal + Over 70 zero-day flaws get hackers $1 million at Pwn2Own Ireland Over 70 zero-day flaws get hackers $1 million at Pwn2Own Ireland * Tutorials + Latest + Popular + How to access the Dark Web using the Tor Browser How to access the Dark Web using the Tor Browser + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide ThreatLocker Zero Trust World conference * Home * News * Security * New Windows Driver Signature bypass allows kernel rootkit installs * * New Windows Driver Signature bypass allows kernel rootkit installs By Bill Toulas * October 26, 2024 * 08:28 AM * 0 New Windows Driver Signature bypass allows kernel rootkit installs Attackers can downgrade Windows kernel components to bypass security features such as Driver Signature Enforcement and deploy rootkits on fully patched systems. This is possible by taking control of the Windows Update process to introduce outdated, vulnerable software components on an up-to-date machine without the operating system changing the fully patched status. Downgrading Windows SafeBreach security researcher Alon Leviev reported the update takeover issue but Microsoft dismissed it saying that it did not cross a defined security boundary, although was possible by gaining kernel code execution as an administrator. Leviev at the BlackHat and DEFCON security conferences this year demonstrated that the attack was feasible but the problem remains unfixed, leaving open the door for downgrade/version-rollback attacks. The researcher published a tool called Windows Downdate, which allows creating custom downgrades and expose a seemingly fully update target system to already fixed vulnerabilities via outdated components, such as DLLs, drivers, and the NT kernel. "I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term "fully patched" meaningless on any Windows machine in the world" - Alon Leviev Despite kernel security improving significantly over the years, Leviev managed to bypass the Driver Signature Enforcement (DSE) feature, showing how an attacker could load unsigned kernel drivers to deploy rootkit malware that disables security controls and hides activity that could lead to detecting the compromise. "In recent years, significant enhancements have been implemented to strengthen the security of the kernel, even under the assumption that it could be compromised with Administrator privileges," Leviev says. While the new protections make it more difficult to compromise the kernel, "the ability to downgrade components that reside in the kernel makes things much simpler for attackers," the researcher explains. Leviev named his exploitation method "ItsNotASecurityBoundary" DSE bypass as it is part of the false file immutablity flaws, a new vulnerability class in Windows described in research from Gabriel Landau of Elastic as a way to achieve arbitrary code execution with kernel privileges. Following Landau's report, Microsoft patched the ItsNotASecurityBoundary admin-to-kernel privilege escalation. However, this does protect against a downgrade attack. Targeting the kernel In new research published today, Leviev shows how an attacker could exploit the Windows Update process to bypass DSE protections by downgrading a patched component, even on fully updated Windows 11 systems. The attack is possible by replacing 'ci.dll,' a file responsible for enforcing DSE, with an unpatched version that ignores driver signatures, which essentially sidesteps Windows' protective checks. This replacement is triggered by the Windows Update, exploiting a double-read condition where the vulnerable ci.dll copy is loaded into memory right after Windows starts checking the latest copy of ci.dll. Loading the old DLL while Windows verifies the latest versionLoading the old DLL while Windows verifies the latest version Source: SafeBreach This "race window" allows the vulnerable ci.dll to load while Windows thinks it has verified the file, hence allowing unsigned drivers to be loaded onto the kernel. In the video below, the researcher demonstrates how he reverted the DSE patch via a downgrade attack and then exploited the component on a fully patched Windows 11 23H2 machine. Leviev also describes methods to disable or bypass Microsoft's Virtualization-based Security (VBS) that creates an isolated environment for Windows to protect essential resources and securtiy assets like the secure kernel code integrity mechanism (skci.dll) and authenticated user credentials. VBS typically relies on protections like UEFI locks and registry configurations to prevent unauthorized changes, but it can be disabled if not configured with max security ("Mandatory" flag) by performing targeted registry key modification. When partially enabled, key VBS files such as 'SecureKernel.exe' can be replaced with corrupt versions that disrupt VBS's operation and open the way for "ItsNotASecurityBoundary" bypass and to replace 'ci.dll'. Ignoring the VBS configuration during bootIgnoring the VBS configuration during boot Source: SafeBreach Leviev's work shows that downgrade attacks are still possible via several pathways, even if they sometimes carry strong privilege prerequisites. The researcher highlights the need for endpoint security tools to closely monitor downgrade procedures, even those that do not cross critical security boundaries. Related Articles: Windows Downdate tool lets you 'unpatch' Windows systems Windows Update downgrade attack "unpatches" fully-updated systems Amazon seizes domains used in rogue Remote Desktop campaign to steal data Exploit released for new Windows Server "WinReg" NTLM Relay attack VMware fixes bad patch for critical vCenter Server RCE flaw * Downgrade Attack * Elevation of Privileges * Privilege Escalation * Rootkit * Security Bypass * Windows * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article * Next Article Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Popular Stories * Fortinet Fortinet warns of new critical FortiManager flaw used in zero-day attacks * UnitedHealth Group UGH UnitedHealth says data of 100 million stolen in Change Healthcare breach * Microsoft Teams Black Basta ransomware poses as IT support on Microsoft Teams to breach networks Sponsor Posts * Protecting against password attacks * How open source SIEM and XDR tackle evolving threats * How to leverage $200 million FCC program boosting K-12 cybersecurity * Automate all things security in the Blink of AI * Hybrid Analysis Bolstered by Criminal IP's Comprehensive Domain Intelligence Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT