Google Project Zero is the elite group of white hat hackers reporting exploits. This time, they reported a zero-day vulnerability.
Remember when we talked about Google’s Bug Bounty program? These (Project Zero) isn’t formed by rookies.
Google’s Project Zero team reported the bug as CVE-2020-17087. It was found in Windows Friday update (inside a driver), and it provoked privilege escalation (until crash) due to a buffer overflow.
The team announced that so far, it was being used together with another Google Chrome/Chrome OS exploit uncovered in the same week.
How did the CVE-2020-17087 bug work, exactly?
Zero-day Exploit Revealed by Google Project Zero Team
As the name indicates, this team focuses mainly on studying zero-day attacks.
And this one was exactly that. Here’s how it worked:
Attackers were capable to escape Chrome’s sandbox, becoming able to attack the OS. The flaw resided exactly in the FreeType font-rendering library.
The bug report published on Friday claimed:
“[Cng.sys] exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures.”
“We have identified a vulnerability in the processing of IOCTL 0x390400, reachable through [a] series of calls.”
A function inside the Windows Kernel Cryptography Driver was manipulated by adding a number to the buffer (below the allowable level).
When this happens, the number is converted to hexadecimal and input/output controllers got hijacked later on. This released data into an area that allows code execution: attackers sneaked into the system, far from the sandbox limit.
The team put a proof-of-concept exploit to show how easy it was to trigger the attack. They explained:
“The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue.”
“The integer overflow occurs in line 2, and if SourceLength is equal to or greater than 0x2AAB, an inadequately small buffer is allocated from the NonPagedPool in line 3. It is subsequently overflown by the binary-to-hex conversion loop in lines 5-10 by a multiple of 65536 bytes.”
As you can imagine, it worked. Exactly on a Windows 10 (1903, 64-bit) version, but they claim that the bug also affects systems before Windows 7.
According to Project Zero, this is because:
“A crash is easiest to reproduce with Special Pools enabled for cng.sys, but even in the default configuration the corruption of 64kB of kernel data will almost surely crash the system shortly after running the exploit.”
So far, it’s unclear what are the reasons behind those who exploited this zero-day vulnerability. Shane Huntley (Google’s Director of Threat Intelligence) confirms it was “targeted” and not related to the U.S. elections, as many suspects.
And even if the team tends to disclose vulnerabilities around the 90 days of a solution made available… On this occasion, they provided Microsoft a seven-day window for them to take care of fixing the issue before it gets announced publicly.
The real problem is that the bug still exists and no patch has been issued.
And that Microsoft hasn’t offered guidance on addressing the problem before the patch gets released. The only mention made was from a company representative announcing “there’s no evidence of a bug being widely exploited right now.”
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers. While we work to meet all researchers’ deadlines for disclosures, including short-term deadlines like in this scenario, developing a security update is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
The spokesperson added: “the “attack” is very limited and targeted in nature, and we have seen no evidence to indicate widespread usage.”
Google expects Microsoft to issue the patch on November 10 (the 2nd Tuesday of the month, when they solve accumulated patches).