Google’s Project Zero released details of a local proof-of-concept attack against a fully patched Windows 10 PC that allows an adversary to execute untrusted JavaScript outside a sandboxed environment on targeted systems.
The attack is a variation of a WPAD/PAC attack. In Project Zero’s case, the WPAD/PAC attack focuses on chaining several vulnerabilities together relating to the PAC and a Microsoft JScript.dll file in order to gain remote command execution on a victim’s machine.
“We identified 7 security vulnerabilities in (JScript.dll) and successfully demonstrated reliable code execution from local network (and beyond) against a fully patched (at the time of writing) Windows 10 64-bit with Fall Creators Update installed,” wrote Project Zero researchers on the teams’ website Monday.
The vulnerabilities have since been patched.
Web Proxy AutoDiscovery (WPAD) protocol attacks are tied to how browsers use PAC (Proxy Auto-Configuration) to navigate HTTP and HTTPS requests. PAC files contain JavaScript that instruct what proxy a browser needs to use to get to a specific URL. If a malicious PAC is introduced to the browser, that allows an attacker to monitor the URL of every request the browser makes.
Previous researchers have found holes in WPAD ranging from an “UNHOLY PAC” attack identified by SafeBreach to a man-in-the-middle attack technique identified by Context Information Security. The technique allowed an attacker to see the entire URL of every site visited even if the traffic is protected with HTTPS encryption.
Google’s Project Zero team took WPAD/PAC attacks a step further.
“As far as we know, this is the first time that an attack against WPAD is demonstrated that results in the complete compromise of the WPAD user’s machine,” researchers said.
What Project Zero researchers identified was a new attack vector that directly attacks the Windows JScript engine that interprets the JavaScript PAC files, commented Paul Stone, security consultant at Context Information Security. “This is a much more powerful and technically complex attack,” he said.
Project Zero focus was on identifying new vulnerabilities in the version of JScript.dll used by the WPAD service. (CVE-2017-11810, CVE-2017-11903, CVE-2017-11793, CVE-2017-11890, CVE-2017-11907, CVE-2017-11855 and CVE-2017-11906)
Five of the vulnerabilities outlined by Project Zero on Monday were patched last week as part of Microsoft’s Patch Tuesday. The additional two were patch in October by Microsoft.
“In recent years, browser exploits have mutated from being primarily DOM-oriented to targeting Javascript engines directly, so the mere mention that we can get Javascript execution over the network without the browser was motivating,” wrote co-authors of the Project Zero report Ivan Fratric, Thomas Dullien, James Forshaw and Steven Vittitoe.
Researchers chained two specific JScript bugs (an infoleak and a heap overflow) and leveraged several other techniques (such as return-oriented programming) to bypass Windows security mitigations. Next, researchers used a privilege escalation technique to move from the Local Service account (where the WPAD service runs, but doesn’t have many permissions) to SYSTEM, according to an analysis of the technique by Stone.
“The chain requires all its links in order to work, but still, in my opinion the memory read primitive (out-of-bounds read) is the enabler to all the other steps, and has usability beyond this particular chain,” said Amit Klein, vice president of security research at SafeBreach.
Despite the fact Microsoft has patched against this type of attack, Project Zero researchers agree with Klein’s assessment.
“Since the bugs are now fixed, does this mean we are done and can go home? Unlikely. Although we spent a fair amount of time, effort and compute power on finding jscript.dll bugs, we make no claims that we found all of them. In fact, where there are 7 bugs, there is likely to be an 8th,” Project Zero researchers wrote.
Researchers recommend Microsoft users disable WPAD by default and sandbox the JScript interpreter inside the WPAD service.
Researchers point out that Windows isn’t the only software that implements WPAD. However, other implementations in other operating systems don’t enable it by default. They also note, “Google Chrome also has a WPAD implementation, but in Chrome’s case, evaluating the JavaScript code from the PAC file happens inside a sandbox.”