Attackers exploit Windows flaw for executing arbitrary code via false files

July 25, 2024
1 min read


TLDR:

  • A new Windows 11 Kernel vulnerability called “File Immutability” allows attackers to execute arbitrary code with Kernel privileges.
  • The vulnerability stems from incorrect assumptions in the design of the Core Windows feature, leading to security vulnerabilities and undefined behavior.

A new unnamed vulnerability class has been detected in the Windows 11 Kernel that could allow a threat actor to execute arbitrary code with Kernel privileges. This vulnerability, named “File Immutability,” exists due to incorrect assumptions in the design of the Core Windows feature. These assumptions can result in undefined Behavior and security vulnerabilities. The list of components and concepts associated with this “File Immutability” vulnerability is as follows:

Windows File sharing – Full set of access right
Memory Manager – treats PE-relocated pages as unmodified, dynamically reapplying relocations during page faults. Sharing enforcement – the responsibility of the filesystem driver to call IoCheckShareAccess or IoCheckLinkShareAccess to see whether the requested DesiredAccess/ShareMode tuple is compatible

An attacker can utilize this false file immutability by employing a network redirector to modify PPL’s DLL Server-side and bypass sharing restrictions. In this case, the PE’s backing an executable image are incorrectly assumed to be immutable. However, this class of vulnerability is called “False File Immutability.” Further, this vulnerability was also presented at Black Hat Asia 2023. A Windows Kernel vulnerability was disclosed, indicating how bad assumptions in paging can be exploited to inject code into PPL by defeating security features like LSA and Anti-Malware Process Protection. The attack used False File immutability assumptions for DLLs in PPLs for the presented scenario.

Published by Elastic Security, the vulnerability report shows how authenticode signatures embedded within PE files, along with a false assumption related to file immutability, can be exploited by attackers to achieve arbitrary code execution in the kernel. The report also highlights a double-read vulnerability and exploit that can be deployed by attackers to manipulate victim code.

Key takeaways:

  • The “File Immutability” vulnerability in Windows 11 Kernel allows attackers to execute arbitrary code.
  • Incorrect assumptions in Windows design can lead to security vulnerabilities and undefined behavior.
  • Attackers can exploit false file immutability to bypass sharing restrictions and inject code into the Kernel.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and