A new code-injection vulnerability, which cannot be patched, was found in the operating system of Windows. Researchers explain that the flaw can be used to bypass current malware protection solutions.
“Unfortunately this issue cannot be patched since it doesn’t rely on broken or flawed code — rather it’s a flaw in how these operating system mechanisms are designed.” – the enSilo researcher, Tal Liberman, wrote in a report published on October 27th.
Dubbed “AtomBombing”, the attack tactic is able to manipulate the underlying Atom Table mechanisms of Windows. These Atom Tables hold data strings, placed by applications into the table and thus the apps receive back an atom identifier for each string.
Windows provides several Atom Tables for various aims. For instance, the Global Atom Table can be used to share data between different DDE applications.
“Rather than passing actual strings, a DDE application passes global atoms to its partner application. The partner uses the atoms to obtain the strings from the atom table.” – explains Microsoft’s own data sheet.
According to enSilo, a potential attacker is able to write a malicious code into one atom table and make the legitimate program retrieve it.
“We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.” – Liberman also added.
As a result, malevolence has successfully been transferred from one malicious app to a legitimate another one. Security defenses often don’t include known legitimate apps and processes when blacklisting and blocking dangerous applications.
Liberman explains that this is what is attractive in a code-injection because it can be used “to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable.”
Liberman also gives as an example two AtomBombing tactics, with which an attacker can gain access to context-specific data. The first it with the usage of screenshots. Processes can only do this from within the context of the desktop of the user.
Malware, on the other hand, is usually not able to execute screenshots as it normally lands in the services desktop. However, thanks to AtomBombing, an attacker can inject code from the services desktop into a process, which is already running on the user`s desktop. Thus, the attacker will manage to take the screenshot and pass it back to the malware in the services desktop.
The second example tactic involves access to encrypted passwords. For instance, Chrome uses the Windows Data Protection API (DPAPI) together with data derived from the current user to encrypt the users` stored passwords. In this case, accessing the passwords also requires to be done from within the user context and AtomBombing makes that possible.
“If the malware injects code into a process that’s already running in the context of the current user” – explains Liberman – “the plain-text passwords can be easily accessed.”
Unfortunately, because of the way Windows OS operates, the AtomBombing vulnerability cannot be patched and the solution must be sought somewhere else.
