Google Project Zero writes that one of Microsoft's patches, released earlier this week as part of "update Tuesday", was ineffective. The Windows Local Security Authority Subsystem Service (LSASS) escalation issue is still a problem.
The vulnerability in question has an identifier CVE-2020-1509, and in May of this year discovered Google Project Zero expert James Forshaw. The bug can be exploited using specially crafted authentication requests, and in order to successfully exploit the problem, an attacker will need to know the valid credentials in advance.
In the spring, a researcher explained that the problem is related to the deprecated AppContainer ability to provide access to the Security Support Provider Interface (SSPI), probably intended to facilitate the installation of business applications in corporate environments. Thus, authorization for authentication should be granted only if the target specified in the call is a proxy. But Forshaw found that authentication was allowed even if the network name did not match the registered proxy.
This meant that an attacker could authenticate to network resources and bypass defenses such as SPN verification and SMB signing. As a result, the attacker could even get access to localhost services, albeit with some caveats.
In May, Forshaw posted a PoC exploit for this issue to demonstrate how an application can gain elevated privileges using this bug.
Now Forshaw warnsthat the patch for CVE-2020-1509 released this week was ineffective. According to the expert, an attack on the vulnerability is still possible if a configured proxy is present in the system. Moreover, the original exploit is also relevant, you just have to manually add a proxy server in the settings and comply with a number of conditions.
“In corporate environments, (proxy) is most likely the norm, which means this is a very serious problem there,” the researcher writes.