Closed GoogleCodeExporter closed 8 years ago
Further investigation indicates the real culprit (although the analysis still
stands). It seems that all the process creation is handled through the Unified
Background Process Manager (ubpm.dll) on Windows 8.1 at least. This has a
function, UbpmFileAccessCheck that's called from UbpmCreateProcessSuspended
which presumably is to check that the token can access the target process file.
Instead it checks the task file, as we created the task file this will pass and
continue on to creating the process. Perhaps this is actually by design, it's
hard to tell.
As an aside the CreateProcessAsUser function is also only passed a commandline
with no executable path. Therefore quote escaping tricks might apply to any fix
applied to verify the original path.
Original comment by fors...@google.com
on 11 Nov 2014 at 2:15
Original comment by fors...@google.com
on 12 Nov 2014 at 10:52
Correspondence Date: 11 Dec 2014
< Microsoft indicate that they've had difficulty reproducing it from the PoC,
stating that the detailed write-up was not included in the original report.
They ask for further details
> The original write-up is sent to Microsoft as it seems that the details might
not have been provided originally.
Original comment by fors...@google.com
on 13 Jan 2015 at 2:18
Correspondence Date: 16 Dec 2014
> Microsoft indicate that the additional information is as they expected and
ask for an extension to the deadline.
Original comment by fors...@google.com
on 13 Jan 2015 at 2:21
Correspondance Date: 14 Jan 2015
< Informed Microsoft that we're willing to extend the deadline 30 days in this
situation because we had apparently not provided a writeup. This corresponds
with the time it took for them to get back to us informing us of the mistake.
Requested that they in future inform us immediately if such information is
missing as it should be expected that we would provide these details in order
to maximize the chances of remediation of the issue for user security.
Requested confirmation of this offer.
Original comment by fors...@google.com
on 14 Jan 2015 at 11:15
Updating reported date to reflect adjusted timescales as requested by Microsoft
Original comment by fors...@google.com
on 16 Jan 2015 at 1:15
Fixed in bulletin https://technet.microsoft.com/library/security/MS15-028
Original comment by fors...@google.com
on 10 Mar 2015 at 7:09
Original comment by fors...@google.com
on 10 Mar 2015 at 7:09
Original comment by fors...@google.com
on 17 Mar 2015 at 2:06
Original issue reported on code.google.com by
fors...@google.com
on 11 Nov 2014 at 10:11Attachments: