Interesting CryptoAPI weakness (not security vulnerability)

Forum for anything else which doesn't fit in the above forums. Site feedback, random talk, whatever, are welcome.
Post Reply
harkaz
Posts: 693
Joined: Fri Nov 16, 2012 10:23 am
Location: GR
Contact:

Interesting CryptoAPI weakness (not security vulnerability)

Post by harkaz » Thu Sep 08, 2016 2:15 pm

This is an interesting find I reported to MSRC. It can have a security impact and can be used in local attacks. It requires administrative privileges for system-wide impact and, for this reason, MSRC does not consider this to be a valid security vulnerability. Nevertheless, it would be useful to know about its existence. I believe that Microsoft will eventually prepare a patch for it, but I don't know when (they haven't informed me about a patch schedule only that they appreciate my report).

It's possible to freeze digital signature verification in an infinite loop. This can severely affect many secure communications, UAC and Applocker and AV software. Most antivirus software will fail to detect even known malware.
In addition, integrity-monitoring software may become unresponsive,

Least privilege principle is a must to avoid this flaw. Avoid executing installers and/or using programs/files from people you don't trust.

Video: https://www.youtube.com/watch?v=d1ty35N1ay0

User avatar
GH0st
Posts: 530
Joined: Wed Nov 05, 2014 9:31 am
Location: Virginia, USA

Post by GH0st » Thu Sep 08, 2016 6:31 pm

Thank you!

Dibya
Posts: 455
Joined: Sat Sep 12, 2015 9:34 am
Location: India

Post by Dibya » Thu Sep 08, 2016 10:51 pm

Thanks Harkaz.
Anyway , now a days ms people don't doing any good job. I don't know why.

poolside

Re: Interesting CryptoAPI weakness (not security vulnerability)

Post by poolside » Fri Sep 16, 2016 3:10 pm

harkaz wrote:This is an interesting find I reported to MSRC. It can have a security impact and can be used in local attacks. It requires administrative privileges for system-wide impact and, for this reason, MSRC does not consider this to be a valid security vulnerability. Nevertheless, it would be useful to know about its existence. I believe that Microsoft will eventually prepare a patch for it, but I don't know when (they haven't informed me about a patch schedule only that they appreciate my report).

It's possible to freeze digital signature verification in an infinite loop. This can severely affect many secure communications, UAC and Applocker and AV software. Most antivirus software will fail to detect even known malware.
In addition, integrity-monitoring software may become unresponsive,

Least privilege principle is a must to avoid this flaw. Avoid executing installers and/or using programs/files from people you don't trust.

Video: https://www.youtube.com/watch?v=d1ty35N1ay0
Sell it to Zerodium?

Dibya
Posts: 455
Joined: Sat Sep 12, 2015 9:34 am
Location: India

Post by Dibya » Sat Sep 17, 2016 10:15 am

Harkaz sell it to Zerodium , They will give 3000 dollar

harkaz
Posts: 693
Joined: Fri Nov 16, 2012 10:23 am
Location: GR
Contact:

Post by harkaz » Sun Sep 18, 2016 1:10 pm

Nobody will buy that right now, since it is disclosed. If they'd like to use it and the vendor does not patch it they are free to go.

Besides that, white and gray markets are not interested in dos 'exploits' (particularly one that requires admin privileges). From a security perspective, it is only useful for malware authors (to increase stealth while in user-mode), but something like that would only sell in the black market for a few bucks (unless combined with a full exploit chain, which would raise the price considerably). Selling in the black market can be rather dangerous, so not really an option.

The only party with a potentially strong interest would be AV companies. I haven't contacted one yet, however.

Dibya
Posts: 455
Joined: Sat Sep 12, 2015 9:34 am
Location: India

Post by Dibya » Mon Sep 19, 2016 10:35 pm

Denial of Service is hell

Post Reply