A newly discovered attack targeting Windows 10’s PatchGuard can bypass the protection and hook a malicious kernel code (rootkit) at the kernel level, CyberArk Labs security researchers warn.
Also known as Kernel Patch Protection, PatchGuard was designed to prevent running rootkits or other malicious code at kernel level on 64-bit versions of Windows. Dubbed GhostHook, the newly discovered attack method can completely bypass the protection, as long as the attacker has already managed to get a foothold on the vulnerable system.
“The GhostHook technique we discovered can provide malicious actors or information security products with the ability to hook almost any piece of code running on the machine,” CyberArk’s Kasif Dekel explains.
The attack, however, isn’t an elevation or an exploitation technique, and is intended solely for post-exploitation scenarios, when the attacker already has control over the asset, the researcher says. The attack, however, can provide rootkits with stealthy persistence on compromised systems.
Weaknesses in Microsoft’s implementation of Intel Processor Trace (Intel PT), specifically at the level where Intel PT communicates to Windows, make the attack possible, Dekel says.
Intel PT “provides low overhead hardware that executes tracing on each hardware thread using dedicated hardware” and can be used for various legitimate purposes, including performance monitoring, diagnostic code coverage, debugging, fuzzing, and more. However, it can also be abused for PatchGuard bypass.
By allocating “an extremely small buffer for the CPU’s PT packets,” the buffer space will be filled almost immediately and the CPU will jump to a PMI handler, which is code controlled by the attacker and designed to perform the “hook”. This eventually provides an attacker with control over how the operating system behaves.
The technique is very difficult to detect because it uses hardware to take over a thread’s execution and because kernel code/critical kernel structures aren’t being patched, Dekel says.
In Microsoft’s view, however, the issue isn’t critical and a security update won’t be released for it, although the researcher underlines “that PatchGuard is a kernel component that should not be bypassed,” specifically because it blocks rootkits from SSDT hooking and not code execution in kernel-mode.
“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I’ve closed this case,” a Microsoft engineer reportedly told the researcher.
Related: App Paths Used to Bypass User Account Control in Windows 10
Related: Windows 10 Option to Block Installation of Win32 Apps
Related: SHIFT+F10 During Windows 10 Updates Can Bypass BitLocker
More from Ionut Arghire
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
- Chrome 114 Released With 18 Security Fixes
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
Latest News
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Amazon Settles Ring Customer Spying Complaint
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Adobe Inviting Researchers to Private Bug Bounty Program
