Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
KeyIso – key to the Microsoft safe deposit box.
In July 2022, Microsoft made changes to its Protected Process Light (PPL) system to address a vulnerability that allows you to bypass the protection of LSASS, a critical process that is responsible for storing and managing user credentials in Windows.
Despite the protective measures, researchers continue to find ways to circumvent new barriers. One of these methods is the use of vulnerable libraries, better known as" Bring Your Own Vulnerable DLL " (BYOVDLL), which allows you to load a vulnerable version of the DLL library into the LSASS process and thereby return the vulnerability to work.
An Orange Cyberdefense found a way to bypass Microsoft's security mechanisms and execute arbitrary code in the LSASS process. For a successful attack, the author focused on the CNG Key Isolation (KeyIso) service.
The author decided to check the ability to download a vulnerable version of the library keyiso.dll in LSASS. To do this, he changed the registry settings and specified the path to the vulnerable version of the library. However, when trying to start the service, the specialist encountered an error related to an unsigned file. In other words, the system could not find the digital signature of the DLL, which prevented loading the library.
In search of a solution to the problem, the author turned to file directories that contain cryptographic hashes for verifying the authenticity of files in Windows. The researcher installed the required directory on the test machine and confirmed that the system recognized the signature of the vulnerable library. This way the vulnerable version was downloaded keyiso.dll to the secure LSASS process.
Then the author started implementing a complete vulnerability exploitation chain. To do this, it registered a new key provider that used a vulnerable version of the library ncryptprov.dll. After registration, the author was able to confirm that the affected version of the DLL was successfully loaded into the LSASS process using System Informer.
In the final part of the study, the author was able to launch an exploit that confirmed the successful execution of the code inside the protected LSASS process. It used the method of outputting a debug message via OutputDebugStringW, which was displayed in the debugger, thereby confirming that the attack was successful – arbitrary code was executed in the context of a protected process.
Source
In July 2022, Microsoft made changes to its Protected Process Light (PPL) system to address a vulnerability that allows you to bypass the protection of LSASS, a critical process that is responsible for storing and managing user credentials in Windows.
Despite the protective measures, researchers continue to find ways to circumvent new barriers. One of these methods is the use of vulnerable libraries, better known as" Bring Your Own Vulnerable DLL " (BYOVDLL), which allows you to load a vulnerable version of the DLL library into the LSASS process and thereby return the vulnerability to work.
An Orange Cyberdefense found a way to bypass Microsoft's security mechanisms and execute arbitrary code in the LSASS process. For a successful attack, the author focused on the CNG Key Isolation (KeyIso) service.
The author decided to check the ability to download a vulnerable version of the library keyiso.dll in LSASS. To do this, he changed the registry settings and specified the path to the vulnerable version of the library. However, when trying to start the service, the specialist encountered an error related to an unsigned file. In other words, the system could not find the digital signature of the DLL, which prevented loading the library.
In search of a solution to the problem, the author turned to file directories that contain cryptographic hashes for verifying the authenticity of files in Windows. The researcher installed the required directory on the test machine and confirmed that the system recognized the signature of the vulnerable library. This way the vulnerable version was downloaded keyiso.dll to the secure LSASS process.
Then the author started implementing a complete vulnerability exploitation chain. To do this, it registered a new key provider that used a vulnerable version of the library ncryptprov.dll. After registration, the author was able to confirm that the affected version of the DLL was successfully loaded into the LSASS process using System Informer.
In the final part of the study, the author was able to launch an exploit that confirmed the successful execution of the code inside the protected LSASS process. It used the method of outputting a debug message via OutputDebugStringW, which was displayed in the debugger, thereby confirming that the attack was successful – arbitrary code was executed in the context of a protected process.
Source
