A Google Researcher found an unpatched security vulnerability in Windows 8.1 and he posted the bug on Google Security Research page which was subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. With this policy, Google published the vulnerability information on the web. At that time, Microsoft confirmed that they requested Google to delay this process for 2 days until they release their fix. But, Google declined the request happily without worrying about millions of users. Few days before, Google released another security vulnerability in Windows 8.1. But, Microsoft has released an fix for that bug on the next day.
Today, Google has revealed information about third unpatched vulnerability in Windows along with a PoC on the web. Microsoft is yet to fix this vulnenrability.
Platform: Windows 7, 8.1 Update 32/64 bit
Class: Security Bypass/Information Disclosure
The function CryptProtectMemory allows an application to encrypt memory for one of three scenarios, process, logon session and computer. When using the logon session option (CRYPTPROTECTMEMORY_SAME_LOGON flag) the encryption key is generated based on the logon session identifier, this is for sharing memory between processes running within the same logon. As this might also be used for sending data from one process to another it supports extracting the logon session id from the impersonation token.
The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session. This might be an issue if there’s a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section.
This behaviour of course might be design, however not having been party to the design it’s hard to tell. The documentation states that the user must impersonate the client, which I read to mean it should be able to act on behalf of the client rather than identify as the client.
Microsoft has already expressed its displeasure towards Google’s policy on revealing vulnerability details to the general public before the patch is ready. Google is not ready to listen to Microsoft. To teach a lesson to Google, I guess Microsoft should release few proof of code on exploits in Android WebView which will affect billions of users.