Hardening Windows 10 with zero-day exploit mitigations


Cyberattacks involving zero-day exploits happen from time to time, affecting different platforms and applications. Over the years, Microsoft security teams have been working extremely hard to address these attacks. While delivering innovative solutions like Windows Defender Application Guard, which provides a safe virtualized layer for the Microsoft Edge browser, and Windows Defender Advanced Threat Protection, a cloud-based service that identifies breaches using data from built-in Windows 10 sensors, we are hardening the Windows platform with mitigation techniques that can stop exploits of newly discovered and even undisclosed vulnerabilities. As Terry Myerson reiterated in his blog post, we take our commitment to security innovation very seriously.

A key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be—how mitigation techniques and additional defensive layers can keep cyberattacks at bay while vulnerabilities are being fixed and patches are being deployed. Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits.

In this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.

 

CVE Microsoft Update Exploit Type Mitigation in Anniversary Update
CVE-2016-7255 MS16-135 (Nov, 2016) Win32k Elevation of Privilege Exploit Strong  validation of tagWND structure
CVE-2016-7256 MS16-132 (Nov, 2016) Open Type Font Exploit Isolated Font Parsing (AppContainer)
Stronger validation in font parsing

 

CVE-2016-7255 exploit: Win32k elevation of privilege

In October 2016, the STRONTIUM attack group launched a spear-phishing campaign targeting a small number of think tanks and nongovernmental organizations in the United States. The campaign, also discussed in the previously mentioned blog post, involved the use of the exploit for CVE-2016-7255 in tandem with an exploit for the Adobe Flash Player vulnerability CVE-2016-7855.

The attack group used the Flash exploit to take advantage of a use-after-free vulnerability and access targeted computers. They then leveraged the type-confusion vulnerability in win32k.sys (CVE-2016-7255) to gain elevated privileges.

Abusing the tagWND.strName kernel structure

In this section, we’ll go through the internals of the specific exploit for CVE-2016-7255 crafted by the attacker. We will show how mitigation techniques provided customers with preemptive protection from the exploit, even before the release of the specific update fixing the vulnerability.

Exploit and shellcode phases of this attack

Figure 1. Exploit and shellcode phases of this attack

 

Modern exploits often rely on read-write (RW) primitives to achieve code execution or gain additional privileges. For this exploit, attackers acquire RW primitives by corrupting tagWND.strName kernel structure.  This exploit method is a trend discussed in security conferences and visible to those who investigated actual attacks. For example, we detailed similar findings in a presentation about the Duqu 2.0 exploit at Virus Bulletin 2015.

By reverse engineering its code, we found that the Win32k exploit used by STRONTIUM in October 2016 reused the exact same method. The exploit, after the initial Win32k vulnerability, corrupts tagWND.strName structure and uses SetWindowTextW to write arbitrary content anywhere in kernel memory.

SetWindowTextW as a write primitive

Figure 2. SetWindowTextW as a write primitive

 

The exploit abuses this API call to overwrite data of current processes and copy token privileges of the SYSTEM. If successful, the exploit enables the victim process—iexplore.exe, in this example—to execute with elevated privileges.

Internet Explorer with SYSTEM privileges

Figure 3. Internet Explorer with SYSTEM privileges

 

Mitigating tagWND exploits with stronger validation

To mitigate the Win32k exploit and similar exploits, the Windows Offensive Security Research Team (OSR) introduced techniques in the Windows 10 Anniversary Update that prevent abusive use of tagWND.strName. This mitigation performs additional checks for the base and length fields, making sure that they are in  the expected virtual address ranges and are not usable for RW primitives. In our tests on Anniversary Update, exploits using this method to create an RW primitive in the kernel are ineffective. These exploits instead cause exceptions and subsequent blue screen errors.

Windows 10 Anniversary Update mitigation on a common kernel write primitive

Figure 4. Windows 10 Anniversary Update mitigation on a common kernel write primitive

 

With the upcoming Windows 10 Creators Update, Windows Defender ATP introduces numerous forms of generic kernel exploit detection for deeper visibility into targeted attacks leveraging zero-day exploits. Technical details about the enhanced sensor will be shared in a forthcoming blog post.

CVE-2016-7256 exploit: Open type font elevation of privilege

As early as June 2016, unidentified actors began to use an implant detected as “Henkray” in low-volume attacks primarily focused on targets in South Korea. Later, in November 2016, these attackers were detected exploiting a flaw in the Windows font library (CVE-2016-7256) to elevate privileges and install the Henkray backdoor on targeted computers with older versions of Windows.

The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.

Auto-generation of font file with exploit

Figure 5. Auto-generation of font file with exploit

 

This secondary executable or script tool, which has not been recovered, appears to prepare and drop the font exploit, calculating and preparing the hardcoded offsets needed to exploit the kernel API and the kernel structures on the targeted system. Through deep forensic inspection of the binary data found in samples, we extracted all the hardcoded offsets and ascertained the kernel version targeted by this exploit: Windows 8 64-bit.

Function table corruption for initial code execution

The font exploit uses fa_Callbacks to corrupt the function table and achieve initial code execution. The callback is called from the CFF parsing function. The following snippet shows a corrupted ftell pointer to a nt!qsort+0x39 location in kernel code.

fa_Callbacks table corruption

Figure 6. fa_Callbacks table corruption

 

The following snippet shows the code that calls the corrupt function pointer leading to a kernel ROP chain.

fa_Callbacks.ftell function call code

Figure 7. fa_Callbacks.ftell function call code

 

When the corrupted function is called, the control jumps to the first ROP gadget at nt!qsort+0x39, which adjusts stack pointer and initializes some register values from stack values.

First ROP gadget

Figure 8. First ROP gadget

 

After the first gadget, the stack points to a kernel ROP chain which calls to ExAllocatePoolWithTag call to reserve shellcode memory. Another ROP gadget will copy the first 8 bytes of the stage 1 shellcode to the allocated memory.

Copying the stage 1 shellcode

Figure 9. Copying the stage 1 shellcode

 

Shellcode and privilege escalation

The stage 1 shellcode is very small. Its main function is to copy the main body of the shellcode to newly allocated memory and run them with a JMP RAX control transfer.

Stage 1 shellcode

Figure 10. Stage 1 shellcode

 

The main shellcode runs after the copy instructions. The main shellcode—also a small piece of code—performs a well-known token-stealing technique. It then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation. Both the SYSTEM process and target process PIDs, as well as certain offsets for the kernel APIs needed by the shellcode, are hardcoded in the font sample.

Token replacement technique

Figure 11. Token replacement technique

 

Mitigating font exploits with AppContainer

When opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel. AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.

 AppContainer protects against untrusted fonts in Anniversary Update

Figure 12. AppContainer protects against untrusted fonts in Windows 10 Anniversary Update

 

Windows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code.

Windows 10 font viewer error

Figure 13. Windows 10 font viewer error

 

Conclusion: Fighting the good fight with exploit mitigation and layered detection

While fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques. Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.

In this article, we looked into recent attack campaigns involving two zero-day kernel exploits. We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.

By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.

In addition to the techniques mentioned in this article, Windows 10 Anniversary Update introduced many other mitigation techniques in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities.

For effective post-breach detection, including cover for the multiple stages of attacks described in this blog post, sign up for Window Defender ATP. The service leverages built-in sensors to raise alerts for exploits and other attack activity, providing corresponding threat intelligence. Customers interested in the Windows Defender ATP post-breach detection solution can find more information here.

Microsoft would like to thank KrCERT for their collaboration in protecting customers and for providing the sample for CVE-2016-7256.

 

Matt Oh and Elia Florio, Windows Defender ATP Research Team

 

Updates:

Jan 18, 2017 - Corrected the spelling of Henkray backdoor.

Comments (14)

  1. Yoshihiro Kawabata says:

    Great work.
    Is these mitigations working on Windows 10 Home ? or Pro ? or Enterprise ?
    I hope to use these and Windows Defender ATP on Small-Size Office.
    Now Windows Defender ATP can buy licenses on Mid-Size and Large-Size companies.

    1. msft-mmpc says:

      Thanks, Yoshihiro. The mitigations apply to all editions of Windows 10 Anniversary Update, including the Home, Pro, Enterprise, and Education editions.

  2. James says:

    The November 8th patch didn’t fix these zero-days… There are NUMEROUS holes in windows 10 that are horrendous. First of all, the wifi hotspot “auto connect” is ATROCIOUS. Anyone who lives in a highly populated building in a city like NYC or for any city for that matter, are vulnerable to attacks because of this RIDICULOUS feature that comes auto-enabled if you choose the express settings during the setup of a brand new laptop with windows 10 on it. Has anyone noticed the default windows 10 firewall rules? There are SO many ports open to allow remote access to these machines. There is something called “alljoyn” that comes pre-enabled to allow remote access in. There is very little about this on Google. There are also many remote assistance ports open as well. This should be OFF by default! So should SMB, TELNET, NetBios, and any other remote feature. Bluetooth has also been a nightmare. This comes on by default too, and is constantly advertising itself to other Bluetooth devices. I have experienced devices automatically pairing with my computer without having to put in a pin!

    While living in a heavily populated area, you are at risk of getting hacked by the 13 year old down the hall messing with kali Linux or the pro hacker 2 floors down. The even worse problem, is that Bitlocker does nothing to prevent your device getting hacked. Once you set up the new laptop, and you broadcast your beacons to everyone, your MAC addresses are exposed and if they’re notated in someone’s packet sniffing program like wire shark, they can target you and impersonate/spoof your Mac Address. Then, when you try to update Windows, you can get malicious drivers forced to download to your computer which will allow a hacker to activate your mic or webcam or both and also install a key logger and root kits into the registry.

    Microsoft WAKE UP! STOP MAKING EVERYTHING SO CONVENIENT!!! YOU ARE CONTRIBUTING TO RANSOMWARE ATTACKS BY OVERLOOKING THE MOST BASIC THINGS!!! FIX THE DAMN FIREWALL SETTINGS AND REMOVE THE HOTSPOT 2.0 AUTO CONNECT FEATURE!!!!!!

    1. MC says:

      I’m a victim of these many holes. I’m experiencing the go.Microsoft.com hack and have had my service disrupted several times. Microsoft online support seems to not recognize the core source code described here in the x32 files as seriously as it is.

      I believe my core system has been compromised, definitely any browser but Edge, complete with keyloggers and even potentially self-deleting software.

      NI
      NightNovaXXX replied on July 9, 2015
      In reply to PA Bear – MS MVP’s post on June 24, 2011
      Installed ANTI Virus will not Find or even see this type of computer threat. It is Permission violation used to see core structure and use. Self term programs and Key loggers etc from Software Installed as OS…..FB ADMINS use this to DATAMINE in secret rooms. TWO top Anti virus tried once to remove while attacked and they had no idea until MANY files were wiped they installed. My guess.

      https://answers.microsoft.com/en-us/windows/forum/windows_xp-security/what-is-gomicrosoftcomfwlinklinkid-212733/99104b86-227c-4222-a74d-fe1656f89ed2

  3. colab says:

    Why is font parsing in the kernel in the first place?

  4. adwbust says:

    Smartscreen filter of Vista and IE 9 flags Skype setup as Unsafe. I think this is why Skype in-program update fails as downloaded setup cant run. Please fix this FP asap.

    1. adwbust says:

      I dont know if this was fixed but I just downloaded the installer from skype’s site using firefox. I installed over old version and upgrade went fine I think.

      Btw, Windows defender on Win10 should update sigs on its own like MSE. Pls fix this.

  5. John Moore says:

    When will we see Proxy settings being hardened? Group Policy settings can be over ridden via the registry & this is happening constantly, M$ are in denial.

  6. RMoh says:

    Great.. Thanks for this feature.. Hope I can use this features and educate my colleagues and users.

  7. Eric O'Malley says:

    Windows defender need to undergo a rapid transformation, reason it does not detect and remove the very software and tools that cause these problems in the first place like for example hijacking your web browse than installs its own tool bars and icons that you neither ask for or agree too.

    My suggestion is as follow windows defender should have a built in tool that alerts user to spyware and other nasty software that alter your system then tells the user what program is at fault and askes if you want to remove it manually or by the windows defender removal tools that also scan your registry and deletes all infected keys and the program registry key.

    Then rescans your system to insure that your other programs like say “VLC Media Player” still has its ability to work if something missing it then tells the user that there is a problem and need to reinstall that program for it to work correctly

    Then asks the end user “do you want Windows defender to take control and reinstall the program based on Windows 10 database setup” for that program to work correctly or you want to try and manually reinstall yourself. Yes/ NO/ Maybe Later as options.

    Maybe Later option will block the program from running until it is reinstall correctly if the program is not reinstalled after 3 days Window defender will automatically reinstall the program to its default state and alert the user upon next log in.

    If yes then Windows defender looks for the installation program and uninstalls and reinstall the program for you based microsoft database for that third party software and does the same for all not working programs minus the software that caused the issue.

    if the program affects Windows 10 itself it will send you a message saying Windows 10 has detect name of the files either missing, corrupted, broken it will then ask the user for permission to search for a good copy of the file from microsoft update system and reinstall it then request the system be restarted for the change to take affect. end user will not be asked to reactivate their system but a message will be send to microsoft team alerting them that windows 10 had issues and a correction was taken to replace the broken, missing or corrupt file or program that windows 10 requires to run efficiently with a good copy from Microsoft updated system accordly.

    Then microsoft will trigger a system file integrity check to ensure no other file is corrupted, broken or missing in the back ground until everything is registered ok after which the end user will receive a report outlining changes and action taken by windows defender.

    But overall Windows defender can be much more than its in basic form its a wonderful tool.

    as for zero days they will always happen until microsoft designs a detection tool that checks end users machine for them.

  8. Jeff Williams says:

    Nice work Matt, Elia! Would be great to see this protection come to other browsers as well.

  9. Randommantus says:

    Interesting and informative article., Thank you

Skip to main content