Microsoft finds published exploit of Vista privilege elevation hole

By Scott M. Fulton, III, BetaNews

October 13, 2008, 11:25 AM

A less-than-critical Vista hole could become more critical, as Microsoft's security team says it's aware of a published exploit that could enable an ordinary process to pass itself off as a system process with unrestricted access.

Last April, Microsoft admitted to a serious, though perhaps not critical, security hole in all modern versions of Windows including XP and Vista. But a notice posted last Thursday to the company's Security Response Center blog, warning of a published exploit using that same technique, is an indication that the hole has gone unplugged all this time.

Tomorrow being "Patch Tuesday," Microsoft has advised admins to prepare for four "critical" and six "important" patches, and among that latter group are three related to elevation of privilege in Windows. That's all the general public is allowed to know for now, as Microsoft is now limiting the degree of information it shares prior to Patch Tuesday in an effort to thwart "zero-day" exploits. One of those patches could pertain to this particular exploit.

Microsoft made its original acknowledgement last spring after an independent researcher named Cesar Cerrudo gave a presentation in Dubai (PDF available here). There, Cerrudo demonstrated how a process Windows can obtain service-level privileges just by making any old API call that communicates with a service. In Windows, a service is a continually running program that provides functions to the operating system; there are typically dozens of services running in Windows at any one time. A technique with the unfortunate name of impersonation is legitimately used for that process to have the appearance of being qualified to communicate with that service.

Cerrudo showed how, in Windows XP, if the process can impersonate a service in order to talk with a service, it can trick the impersonation technique into giving it system-level privileges instead, which are the same as being completely unrestricted. He then demonstrated how Windows Vista implemented firewall techniques to prevent this from happening. Those prevention measures are largely successful, except in the case of so-called thread pool processes. For multithreaded applications, a single thread pool can be established for the legitimate purpose of performing certain functions on behalf of multiple threads, thus helping to make code tighter and more manageable. Vista's service-impersonation protection, Cerrudo showed, did not extend to thread pools.

The Microsoft security team's Bill Fisk said in a blog post Thursday he is unaware of any active attacks using the published exploit, adding, "Our investigation has shown that it does not affect customers who have applied the workarounds listed in the Advisory." Those workarounds for admins involve IIS 6.0 and IIS 7.0, and include setting up provisions for so-called worker process identities, which would conceivably prevent a remote process from being able to pass itself off as a local process, in order to start impersonating a service or system-level process later.