[German]Microsoft has probably failed to patch a vulnerability properly with its Windows security updates of August 11, 2020. They intend to fix the LSASS vulnerability. However, Google Project Zero says that the vulnerability is insufficiently patched in Windows 10 version 1909.
Patch the vulnerability CVE-2020-1509
In Windows there was a vulnerability CVE-2020-1509 (Local Security Authority Subsystem Service Elevation of Privilege Vulnerability). The reason is that the Local Security Authority Subsystem Service (LSASS) allowed an Elevation of Privilege. To do this, an authenticated attacker had to send a specially designed authentication request. A remote attacker who successfully exploited this vulnerability could cause an elevation of privileges in the target system³s LSASS service.
Microsoft released security updates for Windows 8.1 through Windows 10, including its server counterparts, on August 11, 2020 (see CVE-2020-1509). The security updates were intended to fix the vulnerability. James Forshaw of Team Project Zero was thanked for the discovery and reporting of the vulnerability.
Patch probably incomplete
James Forshaw from Team Project Zero writes on May 5, 2020 in a message that has probably now become public) that Microsoft’s security updates are probably incomplete – see his comment from August 12, 2020.
Seems that it was incorrectly fixed (guess it’s one of those days). As I pointed out in the original report the parsing of the SPN was wildly incorrect, as it hasn’t been fixed as long as the system has a proxy configured you can bypass the fix. https://t.co/IytJ8YKDKi https://t.co/mXlriMS29R
— James Forshaw (@tiraniddo) August 11, 2020
I came across this issue through the above tweet and this post.
Windows: AppContainer Enterprise Authentication Capability Bypass
Platform: Windows 10 1909
Class: Elevation of Privilege
Security Boundary: AppContainer
LSASS doesn’t correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user’s credentials.
One of the original legacy AppContainer capabilities grants access to Enterprise Authentication, which basically means access to the SSPI functions. This is listed on https://docs.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations as a Restricted Capability which means that it wouldn’t automatically be approved in the Windows Store and is probably only used in side-loaded Enterprise LOB applications. Without this capability access to SSPI would be blocked.
A proof of concept (PoC) code was also included to show how an application can bypass enterprise authentication to achieve elevated privileges. The PoC attempts to list the Windows Server Message Block (SMB) shares, and although the operating system should not allow this access, the local shares are still listed. Details can be found here and at ZDNet. Let’s see when Microsoft will make improvements.