Researchers claim a programming error in the Microsoft Windows kernel cracks the door open for malicious executables to bypass security software. The
Researchers claim a programming error in the Microsoft Windows kernel cracks the door open for malicious executables to bypass security software. The flaw, according to security firm EnSilo, has been present on previous versions of Windows dating back to Windows 2000 and can be found on Windows 10 as well.
“The bug is a programming error in the Windows kernel that could prevent security vendors from identifying which modules have been loaded at runtime,” said Omri Misgav, a security researcher at EnSilo.
Researchers found the error within the application protocol interface “PsSetLoadImageNotifyRoutine” which notifies module loading. In certain instances, a specially crafted malicious executable file that utilizes this API could fail to trigger warnings and inspection of the file by endpoint security software protecting the targeted PC.
“In order for security software to protect a system, it needs to know what file is being loaded and whether it should be stopped,” Misgav said. “Because of this bug, sometimes the OS doesn’t give accurate information about what is happening and could let a malicious file or command inadvertently enter the system.”
In response to the claim, Microsoft issued the following brief statement to Threatpost: “Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”
EnSilo doesn’t consider the PsSetLoadImageNotifyRoutine API bug a vulnerability, per se.
“An attacker first has to gain a foothold on a machine so that it can force the operating system to manifest the bug,” Misgav said. In one scenario, the programming error could be leveraged in conjunction with an injection type of attack similar to Process Hollowing and AtomBombing.
Once a system is under attack, this API can be abused in a way to further facilitate a system compromise. “You can use this technique to trick the security vendor to mis-scan a file and download other malicious files,” Misgav said.
In a technical analysis of the bug by EnSilo posted Tuesday, researchers said they spotted the programming error after registering a notification routine with PsSetLoadImageNotifyRoutine. The loaded PE images with the Windows kernel generated the notification: “the callback may receive invalid image names.”
“After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself,” researchers wrote.
“At first glance, we noticed that while we do get the full path of the process executable file and constant values for system DLLs (that are missing the volume name), for the rest of the dynamically loaded user-mode PEs the paths provided are missing the volume name,” researchers wrote. “What’s more alarming is that not only does that path come without the volume name, sometimes the path is completely malformed, and could point to a different or non-existing file.”
PsSetLoadImageNotifyRoutine, is a mechanism that notifies registered drivers, from various parts in the kernel, when a PE image file has been loaded to virtual memory.
The end result? “What we found in many scenarios is the operating system doesn’t give the (security) vendor the right information about the file. The implication of that is the security vendor cannot scan the real file or doesn’t know which one is the real file to scan,” Misgav told Threatpost.
Ensilo dug deeper, and found that Microsoft’s own Microsoft Developer Network documentation fell short of explaining this kernel behavior.
“According to MSDN, the description of FullImageName implies it is the path of the file on disk since it ‘identifies the executable image file.’ There is no mention of these invalid or non-existing paths,” researchers wrote.
EnSilo researchers said they have been in contact with Microsoft regarding the coding bug and claim Microsoft notified them it has no plans to update its kernel code. Microsoft told EnSilo researchers that since the bug requires a targeted system to have some type of preexisting compromise it will not “fix” that type of unanticipated vulnerability.
“From our investigation and reviewing forums, we are pretty sure Microsoft was made aware of this at least 10 years ago,” Misgav said.
“At this point we were sure we figured out what causes the problem though what eluded us was how can it be that this bug still exists? And there’s no obvious solution for it?” EnSilo researchers wrote.