Recently, researchers at Orange Cyberdefense’s SCRT Team have uncovered a new exploit in Microsoft’s security system that allows threat actors to bypass LSASS protection. This exploit, named “BYOVDLL” (Bring Your Own Vulnerable DLL), poses a significant threat to the security of Microsoft systems.
This discovery comes after Microsoft had previously patched a well-known PPL bypass flaw in July 2022, which had originally been found by Ionescu and Forshaw. This flaw allowed for protection circumvention without the need for kernel code execution, breaking the PPLdump PoC in the process.
In October 2022, Gabriel Landau disclosed that the vulnerability, which was supposed to have been patched, remained unaddressed through the “Bring Your Own Vulnerable DLL” method. This revelation allowed for the successful running of PPLdump without any required tweaks, showcasing a critical loophole in Microsoft’s security measures.
The demonstration of this exploit has raised concerns about arbitrary code execution in protected processes using different DLLs, posing a significant challenge to Microsoft’s attempts to patch vulnerabilities effectively. It has highlighted the ongoing struggle between ensuring system security and maintaining exploitable areas within the Windows operating system.
The LSASS, which is a Protected Process Light (PPL), has become a prime target for threat actors looking to extract credentials from system memory due to its larger attack surface compared to other protected processes. The two serious vulnerabilities in the KeyIso service within LSASS required loading vulnerable versions of keyiso.dll and ncryptprov.dll into the system.
To exploit these vulnerabilities, threat actors had to manipulate registry settings, extract and sign the DLLs, and register custom Key Storage Providers without the need for system reboots. This exploit method effectively bypassed Windows security measures, underscoring the delicate balance between system security and vulnerability to advanced attack vectors.
The successful execution of this exploit highlights the ongoing challenges in defending critical system processes against sophisticated attacks, particularly those targeting credential theft from supposedly protected processes. By using vulnerable versions of keyiso.dll and ncryptprov.dll within the LSASS process, threat actors were able to successfully execute arbitrary code in a secure environment.
To bypass PPL restrictions that prevent unsigned DLLs from loading, threat actors replaced the original LoadLibraryW call with OutputDebugStringW, allowing for confirmation of execution through DebugView. This method enabled threat actors to restart the KeyIso service and register a custom Key Storage Provider to execute the proof-of-concept code successfully.
While the exploit showcased in this demonstration only displayed a debug message, it sets a dangerous precedent for more sophisticated exploitation techniques within secured processes. This method of bringing your own vulnerable DLL has the potential to reintroduce and exploit patches against high-security vulnerabilities, such as CVE-2023-36906 and CVE-2023-28229, posing a significant threat to Microsoft systems.
Overall, the discovery of the “BYOVDLL” exploit serves as a stark reminder of the ongoing challenges in maintaining system security in the face of evolving cyber threats. Microsoft and other organizations must remain vigilant in addressing vulnerabilities and implementing robust security measures to protect against sophisticated attacks.