{"id":15329,"date":"2020-08-12T19:20:15","date_gmt":"2020-08-12T17:20:15","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=15329"},"modified":"2020-08-12T19:20:15","modified_gmt":"2020-08-12T17:20:15","slug":"project-zero-august-2020-lsass-patch-schtzt-windows-10-unzureichend","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/08\/12\/project-zero-august-2020-lsass-patch-schtzt-windows-10-unzureichend\/","title":{"rendered":"Project Zero: August 2020 LSASS patch does not adequately protect Windows 10"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/08\/12\/project-zero-august-2020-lsass-patch-schtzt-windows-10-unzureichend\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Microsoft has probably failed to patch a vulnerability properly with its Windows security updates of August 11, 2020. They intend to fix the LSASS vulnerability. However, Google Project Zero says that the vulnerability is insufficiently patched in Windows 10 version 1909. <\/p>\n<p><!--more--><\/p>\n<h2>Patch the vulnerability CVE-2020-1509<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg05.met.vgwort.de\/na\/b38ced4e6bc14a318a1ff9872bf1e4fb\" width=\"1\" height=\"1\">In Windows there was a vulnerability <a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2020-1509\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-1509<\/a> (Local Security Authority Subsystem Service Elevation of Privilege Vulnerability). The reason is that the Local Security Authority Subsystem Service (LSASS) allowed an Elevation of Privilege. To do this, an authenticated attacker had to send a specially designed authentication request. A remote attacker who successfully exploited this vulnerability could cause an elevation of privileges in the target system\u00b3s LSASS service.<\/p>\n<p>Microsoft released security updates for Windows 8.1 through Windows 10, including its server counterparts, on August 11, 2020 (see  <a href=\"https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/CVE-2020-1509\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-1509<\/a>). The security updates were intended to fix the vulnerability. James Forshaw of Team Project Zero was thanked for the discovery and reporting of the vulnerability. <\/p>\n<h2>Patch probably incomplete<\/h2>\n<p>James Forshaw from Team Project Zero <a href=\"https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=2039\" target=\"_blank\" rel=\"noopener noreferrer\">writes<\/a> on May 5, 2020 in a message that has probably now become public) that Microsoft's security updates are probably incomplete &#8211; see his comment from August 12, 2020.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Seems that it was incorrectly fixed (guess it's one of those days). As I pointed out in the original report the parsing of the SPN was wildly incorrect, as it hasn't been fixed as long as the system has a proxy configured you can bypass the fix. <a href=\"https:\/\/t.co\/IytJ8YKDKi\">https:\/\/t.co\/IytJ8YKDKi<\/a> <a href=\"https:\/\/t.co\/mXlriMS29R\">https:\/\/t.co\/mXlriMS29R<\/a><\/p>\n<p>\u2014 James Forshaw (@tiraniddo) <a href=\"https:\/\/twitter.com\/tiraniddo\/status\/1293327807439831040?ref_src=twsrc%5Etfw\">August 11, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>I came across this issue through the above tweet and this post. <\/p>\n<blockquote>\n<p>Windows: AppContainer Enterprise Authentication Capability Bypass<br \/>Platform: Windows 10 1909<br \/>Class: Elevation of Privilege<br \/>Security Boundary: AppContainer<br \/>Summary: <br \/>LSASS doesn't correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials.<br \/>Description:<br \/>One of the original legacy AppContainer capabilities grants access to Enterprise Authentication, which basically means access to the SSPI functions. This is listed on <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/uwp\/packaging\/app-capability-declarations\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/docs.microsoft.com\/en-us\/windows\/uwp\/packaging\/app-capability-declarations<\/a> as a Restricted Capability which means that it wouldn't automatically be approved in the Windows Store and is probably only used in side-loaded Enterprise LOB applications. Without this capability access to SSPI would be blocked.<\/p>\n<\/blockquote>\n<p>A proof of concept (PoC) code was also included to show how an application can bypass enterprise authentication to achieve elevated privileges. The PoC attempts to list the Windows Server Message Block (SMB) shares, and although the operating system should not allow this access, the local shares are still listed. Details can be found <a href=\"https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=2039\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> and at <a href=\"https:\/\/www.zdnet.com\/article\/google-to-microsoft-nice-windows-10-patch-but-its-incomplete\/\" target=\"_blank\" rel=\"noopener noreferrer\">ZDNet<\/a>. Let's see when Microsoft will make improvements.&nbsp; <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft has probably failed to patch a vulnerability properly with its Windows security updates of August 11, 2020. They intend to fix the LSASS vulnerability. However, Google Project Zero says that the vulnerability is insufficiently patched in Windows 10 version &hellip; <a href=\"https:\/\/borncity.com\/win\/2020\/08\/12\/project-zero-august-2020-lsass-patch-schtzt-windows-10-unzureichend\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,580,22,2],"tags":[47,69,195,194],"class_list":["post-15329","post","type-post","status-publish","format-standard","hentry","category-issue","category-security","category-update","category-windows","tag-issue","tag-security","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/15329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=15329"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/15329\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=15329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=15329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=15329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}